If you've been following our coverage of the Shai-Hulud worm and the Glassworm campaign, you already know that npm supply chain attacks have been escalating in both frequency and sophistication. But what happened on March 31, 2026, was different. This wasn't a typosquat. This wasn't an obscure dependency that nobody's heard of. This was axios, the HTTP client that sits in approximately 80% of cloud and code environments, pulling over 100 million downloads per week.
And for roughly three hours, every npm install that touched it delivered a North Korean remote access trojan.
What Happened
In the early hours of March 31, an attacker compromised the npm credentials of jasonsaayman, the lead maintainer of the axios package, and used that access to publish two backdoored releases:
- axios@1.14.1 (tagged
latest), published at 00:21 UTC - axios@0.30.4 (tagged
legacy), published at 01:00 UTC
Both versions introduced a single new runtime dependency: plain-crypto-js@4.2.1. That's where the real payload lived.
The attacker had staged the ground 18 hours earlier by publishing a clean version (plain-crypto-js@4.2.0) to establish the package's presence on npm without raising any flags. Then, just before the axios releases, they pushed 4.2.1, the version with the payload, at 23:59 UTC on March 30.
By the time the community detected and npm pulled the malicious versions around 03:15 UTC, the damage window had been open for nearly three hours.
The Attack Chain
The elegance of this attack lies in its simplicity. There was no need to modify a single line of axios source code. The attacker simply added plain-crypto-js to package.json as a dependency. When npm resolves the dependency tree during installation, it automatically pulls the malicious package and executes its postinstall hook: node setup.js.
Here's what setup.js does:
- Platform detection — the script identifies the target OS (macOS, Windows, or Linux).
- C2 beacon — it sends an HTTP POST to
http://sfrclak.com:8000/6202033with a platform-specific body. - Payload delivery — the C2 server responds with a platform-specific second-stage binary.
- Self-destruction — after execution, the malware deletes
setup.jsand replaces theplain-crypto-jspackage.jsonwith a clean version to evade forensic detection.
That last step is particularly nasty. If you go back and inspect your node_modules after the fact, the malicious traces have already been scrubbed. The attack was designed to be a ghost.
WAVESHAPER.V2: The RAT
Google's Threat Intelligence Group (GTIG) identified the second-stage payload as WAVESHAPER.V2, an updated version of a C++ backdoor previously attributed to UNC1069, a financially motivated North Korean threat actor active since at least 2018.
WAVESHAPER.V2 is a fully functional RAT with the following capabilities:
- Reconnaissance — extracts system telemetry (hostname, OS version, network configuration, running processes)
- Command execution — supports shell commands and in-memory PE injection
- File system enumeration — maps local and network-accessible file systems
- Persistent beaconing — contacts the C2 server every 60 seconds, transmitting system inventory and awaiting commands
One telling detection artifact: all three platform variants hardcode an IE8/Windows XP user-agent string for C2 communication. It's a reliable protocol fingerprint for server-side routing, but it sticks out like a sore thumb on any modern network, and it gives defenders a straightforward detection indicator.
Why This One Matters More
We've written extensively about npm supply chain threats, but the axios compromise represents a qualitative escalation for three reasons.
Scale of exposure. Axios isn't a niche library. It's foundational infrastructure. Wiz reported observing execution of the malicious payload in 3% of monitored environments, and that's just the environments with telemetry. The true blast radius for a package with 100 million weekly downloads is difficult to overstate.
Nation-state attribution. This wasn't a financially motivated smash-and-grab by a lone actor. GTIG's attribution to UNC1069, a North Korean unit with deep experience in supply chain operations and cryptocurrency theft, signals that nation-state actors are now directly targeting the npm ecosystem's most critical packages.
Account takeover, not typosquatting. The attacker didn't create a lookalike package. They compromised the real maintainer's credentials and published through the official package. This bypasses every defense that relies on package name verification. If your lockfile pointed to axios@^1.14.0, you automatically got the compromised version.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
axios@1.14.1 | npm package | Compromised latest release |
axios@0.30.4 | npm package | Compromised legacy release |
plain-crypto-js@4.2.1 | npm package | Malicious dependency with postinstall dropper |
sfrclak.com | Domain | C2 server |
142.11.206.73 | IP | C2 server IP |
sfrclak.com:8000/6202033 | URL | C2 endpoint |
e10b1fa84f1d...c2e0e09 | SHA256 | setup.js (SILKBELL dropper) |
fcb81618bb15...980375cf | SHA256 | ld.py (Linux second stage) |
| IE8/WinXP User-Agent | Network | Hardcoded in all platform RAT variants |
Immediate Remediation
If your environment installed axios between 00:21 and 03:15 UTC on March 31, 2026, treat it as compromised:
- Check your installed version. Run
npm ls axiosacross all projects and CI/CD environments. If you see1.14.1or0.30.4, you were affected. - Downgrade immediately and pin to a known-safe version:
axios@1.14.0oraxios@0.30.3. - Rotate all secrets and credentials. The RAT had full system access. Assume that any secrets present on the affected machines, including API keys, tokens, SSH keys, and environment variables, have been exfiltrated. Rotate them.
- Search for IOCs. Check DNS logs for
sfrclak.com, network logs for connections to142.11.206.73:8000, and process logs for unexpectedsetup.jsexecution. - Audit CI/CD pipelines. Automated builds that ran during the exposure window may have been compromised. Review build logs and artifact integrity.
How Mondoo Helps
Mondoo has tracked this compromise as MAL-2026-2307 in the Mondoo Vulnerability Database (MVD). If you're a Mondoo customer, your environments are already being scanned for the affected versions of axios and plain-crypto-js.
Mondoo's continuous asset scanning detects the compromised packages across your infrastructure, from developer workstations to Kubernetes clusters to CI/CD pipelines, giving you a single view of exposure. Rather than manually running npm ls across hundreds of repositories and environments, Mondoo surfaces affected assets automatically and prioritizes remediation based on actual exposure.
For organizations looking to harden their posture against future supply chain attacks, Mondoo also provides policies for verifying npm package integrity, enforcing lockfile pinning, and auditing dependency trees for known-malicious packages.
The Bigger Picture
March 2026 has been a brutal month for software supply chain security. Between the Glassworm campaign, the Trivy scanner compromise, and now the axios hijack, we're seeing a clear pattern: attackers are moving up the value chain, targeting the tools and libraries that developers implicitly trust.
The npm ecosystem's implicit trust model, where a single maintainer credential can push code to millions of downstream consumers, remains its greatest vulnerability. Until the ecosystem adopts stronger controls around publishing (mandatory MFA, signing, provenance attestation, and publish-time review), these attacks will keep happening. And they'll keep getting bigger.
