Axios npm Package Compromise (UNC1069)

Executive Summary

On March 31, 2026, the widely utilized JavaScript HTTP library Axios was the target of a major software supply chain attack GitHub Security Advisory (GHSA-fw8c-xr5c-95f9). Attackers compromised the npm publishing account of a lead Axios maintainer (jasonsaayman) and published two backdoored versions: axios@1.14.1 (tagged as latest) and axios@0.30.4 (tagged as legacy) Google Threat Intelligence Group (GTIG).

The malicious versions injected a “phantom” dependency named plain-crypto-js@4.2.1 Wiz Threat Research. This package executed a postinstall script (setup.js / SILKBELL dropper) upon installation Elastic Security Labs. The script evaluated the host operating system (Windows, macOS, or Linux) and downloaded/deployed a cross-platform Remote Access Trojan (RAT) identified as WAVESHAPER.V2 Google Threat Intelligence Group (GTIG).

Threat researchers from Google and Microsoft attributed the attack to the North Korean state-sponsored threat group tracked as UNC1069 Microsoft Threat Intelligence. The exposure window lasted approximately three hours before the npm security team removed the compromised artifacts from the registry GitHub Security Advisory (GHSA-fw8c-xr5c-95f9). The primary defensive action is to verify that developer systems and CI/CD environments did not install these specific versions during the three-hour window on March 31, 2026, and immediately rotate all credentials if exposure is suspected CISA Security Advisory.

Key Facts

threat_type: maintainer account compromise, malicious package, credential theft, token exfiltration
ecosystem: npm
registry: npm
affected_packages:
  - "axios"
  - "plain-crypto-js"
malicious_versions:
  - "axios@1.14.1"
  - "axios@0.30.4"
  - "plain-crypto-js@4.2.1"
fixed_versions:
  - "axios@1.14.0"
  - "axios@0.30.3"
safe_versions:
  - "axios@1.14.0"
  - "axios@0.30.3"
exposure_window: ~3 hours (2026-03-31T00:21:00Z to 2026-03-31T03:30:00Z)
execution_trigger: install-time postinstall lifecycle hook
primary_impact: Credential theft (GitHub PATs, cloud keys, SSH keys), Remote Access Trojan (RAT) execution, remote command execution
known_iocs:
  - "sfrclak[.]com"
  - "142.11.206[.]73"
  - "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09"
  - "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a"
  - "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101"
  - "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf"
  - "com.apple.act.mond"
  - "wt.exe"
  - "ld.py"
confidence: high
canonical_source: https://github.com/advisories/GHSA-fw8c-xr5c-95f9

Source Confidence & Evidence Mapping

• confirmed: Compromise of Axios lead maintainer jasonsaayman’s npm account, publication of malicious versions axios@1.14.1 and axios@0.30.4, injection of the phantom dependency plain-crypto-js@4.2.1, the use of postinstall to trigger setup.js (SILKBELL), and the removal of the packages after a three-hour window are fully backed by direct registry telemetry and vendor security advisories GitHub Security Advisory (GHSA-fw8c-xr5c-95f9) CISA Security Advisory Google Threat Intelligence Group (GTIG).
• likely: Highly targeted social engineering of jasonsaayman via a fake branded Slack workspace to drop an info-stealer that harvested npm publishing credentials Huntress Labs. The bypass of GitHub Actions OIDC Trusted Publishing via long-lived classic npm access tokens configured on the maintainer’s registry account Wiz Threat Research.
• unclear: The exact initial malware used to compromise jasonsaayman’s local environment during the fake Slack workspace interaction is not fully documented Huntress Labs.
• not_observed: No direct modification of the primary Axios source repository on GitHub occurred; the compromise was executed purely at the registry publishing level GitHub Security Advisory (GHSA-fw8c-xr5c-95f9).

Timeline

• 2026-03-31T00:21:00Z The compromised account of Axios lead maintainer jasonsaayman publishes backdoored versions axios@1.14.1 (tagged as latest) and axios@0.30.4 (tagged as legacy) to the npm registry. Source: GitHub Security Advisory (GHSA-fw8c-xr5c-95f9)
• 2026-03-31T00:30:00Z Automated security scanners at Huntress and Elastic flag suspicious behavioral anomalies in the newly published Axios versions, noting the execution of child processes during installation. Source: Huntress Labs Elastic Security Labs
• 2026-03-31T01:30:00Z Security researchers confirm the presence of the plain-crypto-js@4.2.1 phantom dependency, its execution of setup.js (SILKBELL), and its outbound C2 beaconing to sfrclak[.]com. Source: Wiz Threat Research Trend Micro
• 2026-03-31T03:30:00Z The npm security team removes both malicious Axios versions and the plain-crypto-js package from the registry, closing the exposure window. Source: GitHub Security Advisory (GHSA-fw8c-xr5c-95f9)
• 2026-03-31T09:00:00Z CISA, Google, and Microsoft issue coordinated advisories detailing the attack mechanism, attributing it to North Korean state-sponsored threat group UNC1069, and providing remediation guides. Source: CISA Security Advisory Google Threat Intelligence Group (GTIG) Microsoft Threat Intelligence

What Happened

On March 31, 2026, the popular Axios HTTP client library was compromised in a supply chain attack orchestrated by North Korean state-sponsored actors tracked as UNC1069 Google Threat Intelligence Group (GTIG). The threat actors used highly targeted social engineering to compromise the account of the Axios maintainer, jasonsaayman Huntress Labs. By impersonating a company founder and inviting the maintainer to a fake, branded Slack workspace, the attackers tricked them into installing malware that provided persistent access to their environment, including npm publishing credentials Huntress Labs Elastic Security Labs.

Using these stolen credentials, the attackers manually published two backdoored versions of Axios: 1.14.1 and 0.30.4 GitHub Security Advisory (GHSA-fw8c-xr5c-95f9). The malicious packages bypass GitHub Actions OIDC “Trusted Publishing” by using long-lived classic npm access tokens that were configured on the maintainer’s account, which took precedence over the more secure OIDC workflow in the configuration used at the time Wiz Threat Research.

The backdoor itself was implemented as a “phantom dependency” named plain-crypto-js@4.2.1 Wiz Threat Research. By placing the malicious logic in a separate dependency rather than modifying the main Axios codebase, the attackers minimized the chance of a casual reviewer noticing changes in the Axios GitHub repository, as the compromise was executed purely on the registry level via direct package publishing GitHub Security Advisory (GHSA-fw8c-xr5c-95f9) Elastic Security Labs.

Technical Analysis

Initial Access

The threat actors compromised the local development environment of Axios maintainer jasonsaayman via highly targeted social engineering Huntress Labs. The attackers impersonated a prominent company founder and invited jasonsaayman to join a fake, branded Slack workspace Huntress Labs. During the interaction, the maintainer was tricked into running malware disguised as a workspace application, which compromised his host machine and exfiltrated long-lived classic npm publishing tokens stored locally Huntress Labs Wiz Threat Research.

Package or Artifact Manipulation

Once in possession of the maintainer’s classic npm token, the attackers bypassed GitHub Actions OIDC “Trusted Publishing” entirely Wiz Threat Research. They manually published two compromised versions of Axios—axios@1.14.1 and axios@0.30.4—directly to the npm registry GitHub Security Advisory (GHSA-fw8c-xr5c-95f9). The primary code files of Axios itself were not altered. Instead, the attackers added a “phantom” dependency in the package.json file Wiz Threat Research:

"dependencies": {
  "plain-crypto-js": "^4.2.1"
}

This package (plain-crypto-js) was an attacker-controlled package published specifically to deliver the payload, mimicking the legitimate crypto-js library name Elastic Security Labs.

Execution Trigger

The plain-crypto-js package manifest included a postinstall script Elastic Security Labs. When a developer or CI/CD runner executed npm install (and scripts were not disabled), this script immediately executed an obfuscated JavaScript dropper (setup.js / SILKBELL) Elastic Security Labs Google Threat Intelligence Group (GTIG).

Payload Behavior

The setup.js (SILKBELL) dropper fingerprinted the host operating system (Windows, macOS, or Linux) and contacted a command-and-control (C2) server at sfrclak[.]com:8000 to download a platform-specific Remote Access Trojan (RAT) named WAVESHAPER.V2 Google Threat Intelligence Group (GTIG) Elastic Security Labs.

The RAT was engineered to harvest high-value credentials, establish persistent access, and execute remote commands Microsoft Threat Intelligence. Once executed, the WAVESHAPER.V2 RAT harvested:

• GitHub Personal Access Tokens and repository contents CISA Security Advisory.
• AWS, Azure, and Google Cloud authentication keys CISA Security Advisory.
• Local SSH keys and browser-saved credentials Elastic Security Labs.
• Keystroke logs and interactive shell commands Microsoft Threat Intelligence.

Exfiltration / C2

domains:
  - "sfrclak[.]com"
ips:
  - "142.11.206[.]73"
urls:
  - "https://sfrclak[.]com/api/v1/beacon"
  - "https://sfrclak[.]com/payloads/"
  - "http://sfrclak[.]com:8000"
protocols:
  - "HTTP/HTTPS"
  - "TCP/8000"
endpoints:
  - "/api/v1/beacon"
  - "/payloads/"
confidence: high

Propagation

The attack did not spread laterally downstream via automated self-propagation (it was not a worm) Google Threat Intelligence Group (GTIG). However, due to the widespread integration of Axios in modern web applications, the backdoor propagated passively to thousands of developer systems and CI/CD pipelines that pulled the latest npm packages during the 3-hour window on March 31, 2026 Wiz Threat Research Huntress Labs.

Obfuscation or Evasion

To evade detection and complicate forensic analysis, the malware executed several evasion techniques Elastic Security Labs:

• Self-Deletion: Once the RAT was executing as a background child process, the setup.js script deleted the malicious installer files from node_modules/plain-crypto-js and replaced them with clean dummy files Elastic Security Labs Trend Micro.
• Process Masquerading (macOS): The macOS RAT payload was dropped into /Library/Caches/com.apple.act.mond, masquerading as an Apple reverse-DNS Activity Monitor daemon (com.apple.act.mond) to evade host-based security tools Palo Alto Networks.
• Binary Masquerading (Windows): On Windows, the malware copied the legitimate PowerShell binary to %PROGRAMDATA%\wt.exe (mimicking the “Windows Terminal” executable name) to bypass script-execution policies and launch the secondary PowerShell-based RAT payload Palo Alto Networks.
• Temp Smuggling (Linux): On Linux, the payload was dropped into the volatile /tmp directory as a simple Python-based script (/tmp/ld.py) Palo Alto Networks.

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "npm"
  packages:
    - "axios"
    - "plain-crypto-js"
  versions:
    - "axios@1.14.1"
    - "axios@0.30.4"
    - "plain-crypto-js@4.2.1"
  repositories: []
  container_images: []
  CI_CD_systems:
    - "GitHub Actions"
    - "GitLab CI"
    - "CircleCI"
    - "Jenkins"
  developer_tools:
    - "npm cli"
    - "yarn cli"
    - "pnpm cli"
  environments:
    - developer workstations
    - CI runners
    - build pipelines
    - containers
    - production systems

credentials_at_risk:
  - npm tokens
  - GitHub tokens
  - cloud credentials
  - SSH keys
  - environment variables

not_currently_known_to_affect:
  - Axios source repository on GitHub (the code repository itself was not compromised or modified) [GitHub Security Advisory (GHSA-fw8c-xr5c-95f9)](https://github.com/advisories/GHSA-fw8c-xr5c-95f9).

Indicators of Compromise

domains:
  - value: "sfrclak[.]com"
    source: "https://google.com"
    confidence: "high"
ips:
  - value: "142.11.206[.]73"
    source: "https://google.com"
    confidence: "high"
urls:
  - value: "https://sfrclak[.]com/api/v1/beacon"
    source: "https://google.com"
    confidence: "high"
  - value: "https://sfrclak[.]com/payloads/"
    source: "https://google.com"
    confidence: "high"
  - value: "http://sfrclak[.]com:8000"
    source: "https://google.com"
    confidence: "high"
hashes:
  - value: "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09"
    source: "https://elastic.co"
    confidence: "high"
  - value: "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a"
    source: "https://elastic.co"
    confidence: "high"
  - value: "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101"
    source: "https://elastic.co"
    confidence: "high"
  - value: "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf"
    source: "https://elastic.co"
    confidence: "high"
files:
  - value: "/Library/Caches/com.apple.act.mond"
    source: "https://paloaltonetworks.com"
    confidence: "high"
  - value: "%PROGRAMDATA%\\wt.exe"
    source: "https://paloaltonetworks.com"
    confidence: "high"
  - value: "/tmp/ld.py"
    source: "https://paloaltonetworks.com"
    confidence: "high"
package_versions:
  - value: "axios@1.14.1"
    source: "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    confidence: "high"
  - value: "axios@0.30.4"
    source: "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    confidence: "high"
  - value: "plain-crypto-js@4.2.1"
    source: "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    confidence: "high"

Detection and Hunting

hunt_queries:
  dependency_lockfiles:
    - "axios@1.14.1"
    - "axios@0.30.4"
    - "plain-crypto-js@4.2.1"
  files:
    - "/Library/Caches/com.apple.act.mond"
    - "%PROGRAMDATA%\\wt.exe"
    - "/tmp/ld.py"
  network:
    - "sfrclak[.]com"
    - "142.11.206[.]73"
  ci_cd_checks:
    - "Review CI runner execution logs for outgoing network requests to port 8000 or to sfrclak[.]com during the March 31, 2026 window."
    - "Check for suspicious child-process execution (e.g., node spawning powershell, bash, or python during npm install phases)."
  endpoint_checks:
    - "Check for unauthorized services or persistent processes matching com.apple.act.mond on macOS endpoints."
    - "Audit %PROGRAMDATA% on Windows machines for the presence of wt.exe (verify binary signature matches Microsoft Windows Terminal rather than a masqueraded powershell executable)."

Remediation Workflow

• Immediate:
  1. Downgrade Axios to known-safe versions (axios@1.14.0 or axios@0.30.3) in package.json.
  2. Purge local and CI/CD package manager caches, delete node_modules and the lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml), and run a clean installation using:

     npm install --ignore-scripts

  3. Revoke and rotate ALL developer secrets, personal access tokens (GitHub, npm), cloud access keys (AWS, Azure, GCP), and SSH keys that were configured on workstations or CI/CD runners active on March-31, 2026.
• Short-term:
  1. Scan DNS and network firewall logs for outgoing connections to sfrclak[.]com or 142.11.206[.]73 CISA Security Advisory.
  2. Run forensic scans for the specific persistence files (/Library/Caches/com.apple.act.mond, %PROGRAMDATA%\wt.exe, /tmp/ld.py).
  3. Re-image any developer workstation or CI runner that was identified as active during the 3-hour compromise window CISA Security Advisory.
• Long-term:
  1. Enforce strict npm lifecycle script restrictions. Configure global npm settings to disable scripts by default:

     npm config set ignore-scripts true

  2. Enforce GitHub Actions Trusted Publishing (OIDC) exclusively for critical packages and revoke all classic, long-lived npm publishing tokens Wiz Threat Research.

Defensive Lessons

• prevent: Avoid long-lived classic registry access tokens that bypass modern token-exchange flows such as OIDC-based Trusted Publishing Wiz Threat Research. Educate development teams against targeted social engineering campaigns offering unsolicited collaborative platforms (like fake Slack/Teams environments) Huntress Labs.
• detect: Implement runtime anomaly detection in CI/CD pipelines and developer workstations to flag child process spawning (such as spawning Python or PowerShell) from package manager processes (npm, yarn, pnpm) Elastic Security Labs Huntress Labs.
• respond: Maintain rigid, immutable build environments and treat any local dependency execution anomalies as a full-machine compromise, immediately initiating credential revocation procedures and re-imaging the underlying hosts CISA Security Advisory.

Open Questions

• What was the exact initial access loader malware distributed via the fake Slack workspace prior to the npm account credentials theft? Huntress Labs
• Were other packages maintained by jasonsaayman targeted or published using the stolen classic token during the compromise window? Wiz Threat Research

Sources

1. GitHub Security Advisory: GHSA-fw8c-xr5c-95f9. Role: DIRECT_SOURCE Impact: Primary source mapping the registry vulnerability, package removals, affected package versions, and official mitigation targets.
2. Google Threat Intelligence Group (GTIG). Role: PRIMARY_RESEARCH Impact: Attributed campaign to UNC1069, identified the WAVESHAPER.V2 RAT, and detailed the platform-specific payloads.
3. Microsoft Threat Intelligence. Role: PRIMARY_RESEARCH Impact: Coordinated advisory detailing threat actor attribution, WAVESHAPER.V2 behaviors, and Windows PowerShell payload mechanics.
4. CISA: Joint Security Advisory on UNC1069 Supply Chain Attacks. Role: ENRICHMENT_DATA Impact: Comprehensive federal security warning detailing recovery recommendations, host isolation guidelines, and credential rotation workflows.
5. Wiz Threat Research: The Axios Supply Chain Incident and the Trusted Publishing Gap. Role: PRIMARY_RESEARCH Impact: Detailed the classic npm access token vulnerability that allowed attackers to bypass GitHub Actions OIDC Trusted Publishing.
6. Elastic Security Labs: Behavior Detection and IOCs for plain-crypto-js Dropper. Role: PRIMARY_RESEARCH Impact: Documented the postinstall execution chain, the setup.js (SILKBELL) dropper behavior, and SHA256 hashes for all payloads.
7. Huntress Labs: Threat Analysis of the Axios Supply Chain Compromise. Role: PRIMARY_RESEARCH Impact: Uncovered the initial social engineering entry point involving the fake Slack workspace invitation targeting maintainer jasonsaayman.
8. Palo Alto Networks Unit 42: WAVESHAPER Host-Based Evasion Techniques. Role: SECONDARY_ANALYSIS Impact: Deep dive into process and binary masquerading, cataloging indicators like com.apple.act.mond and wt.exe.
9. Trend Micro: supply-chain threat profile of plain-crypto-js. Role: SECONDARY_ANALYSIS Impact: Analyzed the evasion and self-deletion routines executed by the setup.js script post-execution.