In 2026, the question for security leaders is not whether a supply chain attack is coming. Every serious organization should assume it is. The question is whether their defense architecture can stop a payload it has never seen before. It’s a question that takes on even more critical implications at a time where trusted agentic automation increasingly becomes the norm.

In three weeks this spring, three threat actors each ran a tier-1 supply chain attack against widely deployed software: LiteLLM, a core AI infrastructure package, Axios, the most downloaded HTTP client in the JavaScript ecosystem, and CPU-Z, a trusted system diagnostic tool. Different vectors, different actors, different techniques. SentinelOne® stopped all three on the same day each attack launched, with no prior knowledge of any payload.

The more important story is the how. Each attack arrived as a zero-day at the moment of execution. Each exploited a trusted delivery channel: an AI coding agent running with unrestricted permissions, a phantom dependency staged eighteen hours before detonation, a properly signed binary from an official vendor domain. No signature existed for any of them. No IOA matched.

SentinelOne stopped all three. That outcome is a direct answer to the question every security leader is now running against: What does your defense do when the attack arrives through a channel you explicitly trust, carrying a payload you have never seen before?

The AI Arms Race in Security is Underway

Adversaries are no longer running manual campaigns at human speed. In September 2025, Anthropic disclosed a Chinese state-sponsored group that jailbroke an AI coding assistant and ran a full espionage campaign against approximately 30 organizations. The AI handled 80–90% of tactical operations autonomously (i.e., reconnaissance, vulnerability discovery, exploit development, credential harvesting, lateral movement, exfiltration) with minimal human direction. Anthropic noted only 4–6 human decision points per campaign. The attack achieved limited success across those targets, but the trajectory is clear: AI is compressing the human bottleneck in offensive operations. Security programs designed around manual-speed adversaries are calibrating to a threat that is moving faster.

The LiteLLM attack is the clearest recent example of what this looks like inside an AI development workflow. On March 24, 2026, threat actor TeamPCP compromised the LiteLLM Python package by obtaining PyPI credentials through a prior supply chain compromise of Trivy, a widely-used open-source security scanner. Two malicious versions (1.82.7 and 1.82.8) were published. Any system with those versions during the exposure window executed the embedded credential theft payload automatically. In one confirmed detection, an AI coding agent running with unrestricted permissions (claude --dangerously-skip-permissions) auto-updated to the infected version without human review — no approval, no alert, no visible action before the payload ran. SentinelOne detected and blocked the malicious Python execution on the same day across multiple environments. Most organizations running AI development workflows didn’t know they were exposed until after the fact. The gap where human review processes don’t reach is wide, and it grows with every AI agent added to a pipeline.

Security programs were built for a different adversary. Vulnerability management, triage queues, patch cadences: all of it assumes an attacker who moves at a pace where human response can still close the window. This year’s SentinelOne Annual Threat Report documented what happens when that assumption breaks: adversaries are shifting left, embedding malicious logic in the build process before software ever reaches production. Likewise, the Verizon 2025 Data Breach Investigations Report found that edge device vulnerabilities are now being mass-exploited at or before the day of CVE publication, while organizations take a median of 32 days to patch them. The old model worked when it was designed. Attackers just weren’t running AI yet.

Three Attacks, One Common Failure Mode

Each attack ran through the same gap. Authorization was treated as a sufficient security boundary, and when authorization is automated, that assumption has no floor.

An AI agent with install permissions doesn’t stop to ask whether a package looks right. It installs. Trusted source, valid credentials, done. Supply chain attacks have always exploited trusted delivery channels, but a human at the keyboard introduces at least one friction point: Someone might notice something off, slow down, ask a question. Agents don’t do that. They execute at the speed of the next API call. When you give an agent install permissions, you’ve extended your trust model to cover everything it will ever run. Authorized agents execute exactly what their permissions allow. That’s the design. Treating permission as a proxy for safety is what turns a compromised supply chain hypersonic.

LiteLLM was compromised via credentials stolen through Trivy, a security scanner. The Axios attacker bypassed every npm security control the project had in place by exploiting a legacy access token the maintainers had forgotten to revoke. The CPUID attackers went after the vendor’s distribution infrastructure directly, so anyone who downloaded from the official website got a properly signed binary with a payload inside. In all three cases, the identity was legitimate. The intent wasn’t.

SentinelOne’s Annual Threat Report named the failure precisely: “The identity is verified, but the intent has been subverted, rendering traditional access controls ineffective against the resulting supply chain contamination.” Signature libraries, IOA rule sets, reputation lookups: All of them check authorization. None check intent. These attacks were designed to exploit exactly that. When the authorization model runs automatically, so does the exposure.

What Actually Stopped Them

In each incident, SentinelOne’s on-device behavioral AI flagged the execution pattern, not a known signature or hash for that specific attack.

The LiteLLM detection flagged a Python interpreter executing Base64-decoded code in a spawned subprocess. SentinelOne killed the process preemptively, terminating 424 related events in under 44 seconds, before any human was in a position to observe it. The Axios detection, via the Lunar behavioral engine, caught PowerShell executing under a renamed binary from a non-standard path. The engine flagged the technique regardless of what the payload contained. The first infection occurred 89 seconds after the malicious package went live; the behavioral detection fired on the same day of publication. The CPU-Z detection flagged cpuz_x64.exe building an anomalous process chain: spawning PowerShell, which spawned csc.exe, which spawned cvtres.exe. CPU-Z does not do that. The platform terminated the execution chain mid-attack during a 19-hour active distribution window.

This is the operational output of Autonomous Security Intelligence (ASI), the intelligence fabric built into the Singularity Platform. ASI runs on-device at the edge as part of the core architecture. It is already running when the attack starts, killing the process before the threat can escalate.

Where customers had SentinelOne fully deployed with the right policies enabled, they were covered. Where they did not, they were exposed, and with average ransomware recovery costs exceeding $4M per incident, that exposure has a real price. If you are not certain your deployment matches the configuration that stopped these three attacks, that certainty is worth getting.

AI to Fight AI

This is the product reality behind the thesis SentinelOne brought to RSAC: AI to fight AI. A machine-speed adversary requires a machine-speed defense. That is an architectural requirement, not a positioning statement. ASI monitors behavioral patterns at the point of execution and kills the process when something deviates, at machine speed, without waiting for a human to write a query or approve a kill.

According to an IDC study, organizations using SentinelOne’s AI platform identify threats 63% faster and remediate 55% faster than legacy solutions, neutralizing 99% of threats without a single manual step. For organizations in regulated industries (healthcare, financial services, manufacturing, critical infrastructure), the stakes compound beyond breach cost. An exposure window that stays open through manual investigation is a potential regulatory notification event, an audit finding, and a conversation the CISO has with the board under circumstances no one wants. The difference between a stopped attack and an active breach is whether the architecture acts before the attacker establishes persistence. By the time a human analyst approves the kill, redundant persistence mechanisms may already be installed. The CPU-Z attack deployed three of them specifically because partial cleanup leaves the payload operational.

Human-driven workflows, manual validation, and legacy tooling cannot keep pace with that attack cadence. When defense relies on investigation before action, the advantage shifts to the adversary. The gap is in the architecture. You cannot tune your way out of it.

Conclusion | The Only Question That Matters

SentinelOne’s latest Annual Threat Report documented the pattern these three attacks confirm: Adversaries are “shifting left” by integrating malicious logic into the build process itself, compromising software before it reaches production. It is the current operating model of advanced threat actors, and it is accelerating.

Three attacks. Three detections. Three outcomes, all in a matter of weeks. The architecture that survived them is real-time, AI-native, and built into the edge.

The question every security leader should be able to answer: Could your current solution have stopped LiteLLM, Axios, and CPU-Z autonomously, on the day of each attack, with no prior knowledge of any payload?

If the answer depends on a signature update, a cloud verdict, a manual investigation step, or a policy that wasn’t enabled, that is your answer.

Read the full technical breakdown of each incident:

• How SentinelOne Stopped the LiteLLM Supply Chain Attack
• Securing the Supply Chain: The Axios Attack
• How SentinelOne Blocked the CPU-Z Watering Hole Attack

Third-Party Trademark Disclaimer:

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

The post OpenAI’s Silent Breach: Why You Must Update Your macOS ChatGPT App Before May 8 appeared first on Daily CyberSecurity.

The post The Human Variable: How a Masterful Phishing Ruse Hijacked Axios and 100 Million Users appeared first on Daily CyberSecurity.

On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments. The malicious versions were live for approximately three hours. An estimated 600,000 downloads occurred during that window with no user interaction required beyond a routine npm install.

SentinelOne protects against this attack, demonstrating why autonomous, layered defense at machine speed is not optional when adversaries operate at this velocity. In this attack, the first infection was observed 89 seconds after publication. At that pace, manual workflows do not have a response window. They have a spectator seat.

For SentinelOne’s customers and partners, here’s a quick overview of the compromise, SentinelOne’s response, and steps you can take to further protect your environment.

What Happened: The Anatomy of a State-Level Supply Chain Weapon

The attacker, tracked as UNC1069 by Google Threat Intelligence and Sapphire Sleet by Microsoft, compromised maintainer credentials and published axios@1.14.1 (tagged “latest”) and axios@0.30.4 (tagged “legacy”). Each version introduced a single new dependency: plain-crypto-js@4.2.1, a purpose-built trojan. The malicious package’s postinstall hook silently deployed a cross-platform RAT communicating over HTTP to C2 infrastructure at sfrclak[.]com (142.11.206[.]73), commonly being referred to as WAVESHAPER.V2.

The operational sophistication was striking. The attacker pre-staged a clean version of plain-crypto-js 18 hours before detonation to evade novelty-based detection. Publication occurred just after midnight UTC on a Sunday to maximize the response window. The malware self-deleted after execution, swapping its malicious package.json for a clean stub, leaving forensic evidence only in lockfiles and audit logs.

Most critically, Axios had adopted OIDC Trusted Publishing, the post-Shai-Hulud hardening measure npm promoted as the solution to credential-based attacks. But the OIDC configuration coexisted with a long-lived npm access token. npm’s authentication logic prioritizes environment variable tokens over OIDC when both are present. The attacker stole the legacy token and bypassed every modern control the project had in place.

The issue is architectural: security controls that coexist with the mechanisms they are meant to replace provide a false sense of protection. Axios had Trusted Publishing, SLSA provenance, and GitHub Actions workflows. None of it mattered because the old key was still under the mat.

How SentinelOne Is Protecting Customers

Behavioral Detection via the Lunar Engine

SentinelOne’s Lunar behavioral engine detects the renamed binary execution technique central to the Windows attack chain, in which PowerShell is copied to %PROGRAMDATA%\wt.exe and executed under a disguised process. The RenamedBinExecution logic catches this behavior regardless of the specific payload hash, providing durable detection against variants.

Global Hash Blocklist

All known stage payloads, malicious npm package tarballs, and RAT binaries across Windows, macOS, and Linux have been added to the SentinelOne Cloud blocklist with a globally blocked reputation status. This provides immediate protection for all customers with cloud-connected agents.

Wayfinder Threat Hunting

The Wayfinder Threat Hunting team executed proactive hunts across all MDR regions and operating systems using Axios-specific IOCs, including DNS queries to sfrclak[.]com, file artifacts (com.apple.act.mond, /tmp/ld.py, wt.exe), and consolidated hash sets. All true positive findings generate console alerts, with MDR customers receiving direct analyst engagement and escalation.

Sustained Research on This Threat Actor

SentinelLABS has tracked BlueNoroff, the DPRK-linked threat cluster with significant overlap to UNC1069, across multiple campaigns targeting macOS and credential theft operations. The WAVESHAPER.V2 macOS binary recovered from the Axios compromise carries the internal project name “macWebT,” a direct lineage marker to BlueNoroff’s documented webT module. SentinelLABS published detailed analysis of this tooling family in 2023 when RustBucket first emerged as a macOS-targeted campaign, and again in 2024 when BlueNoroff shifted to fake cryptocurrency news as a delivery mechanism with novel persistence techniques.

• BlueNoroff: How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
• BlueNoroff Hidden Risk: Threat Actor Targets Macs with Fake Crypto News and Novel Persistence

The initial access vector matters here, too. In March 2026, Google Threat Intelligence reported that UNC1069 leverages ClickFix, a social engineering technique that weaponizes user verification fatigue, as an initial access vector for credential harvesting. SentinelLABS had already published a detailed analysis of ClickFix techniques and their use in delivering RATs and infostealers before Google’s attribution dropped.

• How ClickFix Is Weaponizing Verification Fatigue to Deliver RATs and Infostealers

The behavioral detections that caught the Axios compromise were built on this accumulated intelligence, not written after the fact.

Live Security Updates (LSU)

Customers with LSU enabled receive real-time detection updates without waiting for agent releases, ensuring coverage evolves as fast as the threat intelligence does. This is critical for rapidly evolving supply chain campaigns where new IOCs emerge hourly.

What You Should Do Now

Supply chain compromise exploits the inherent trust enterprises place in their software delivery infrastructure. When that trust is weaponized by a state-level actor, the response must be both immediate and structural.

1. Audit and contain. Search all environments for axios@1.14.1 and axios@0.30.4. Treat any system that installed either version during the exposure window as fully compromised. Rebuild from known-good images rather than attempting in-place cleanup.
2. Rotate every credential the endpoint could reach. npm tokens, SSH keys, CI/CD secrets, cloud provider keys, and API tokens accessible from impacted systems must be rotated immediately. The RAT was designed to harvest exactly these credential types.
3. Pin dependencies and enforce lockfiles. Use npm ci (not npm install) in all CI/CD pipelines. Commit and audit lockfiles. Organizations using strict lockfile discipline were protected even during the three-hour exposure window. This is the single most actionable control.
4. Eliminate legacy npm tokens. Inventory all long-lived tokens across the organization. Migrate to OIDC Trusted Publishing and revoke legacy tokens entirely. Do not leave them as fallbacks. The coexistence of old and new authentication is what this attack exploited.
5. Harden detection policy. Ensure Behavioral AI and Documents & Scripts engines are set to Protect (On Execute). Avoid broad exclusions for developer tools like node.exe or npm. Enable LSU for real-time detection updates.
6. Extend endpoint coverage to developer workstations and CI runners. These environments have access to production secrets, deployment credentials, and code signing infrastructure. They are typically less monitored than production servers. DPRK has recognized this asymmetry and is systematically exploiting it.
7. Hunt proactively. Use Deep Visibility to search for DNS queries to sfrclak[.]com, connections to 142.11.206[.]73, and the presence of plain-crypto-js in any node_modules directory. SentinelOne’s 2025 Annual Threat Report documents how supply chain attacks are part of a broader pattern where adversaries are “shifting left” to subvert the build process itself, compromising software before it ever reaches production.

Practitioner Investigative Guide

In addition to the strategic recommendations above, here are some specific queries, file paths, and commands you can execute now to protect your environment.

Determine Blast Radius

Your first job is to answer one question: did any system in my environment pull a compromised Axios version during the March 31 exposure window (00:21 – 03:25 UTC)?

In the SentinelOne Console:

• Open the Wayfinder alert queue. Look for the alert name “Axios NPM Supply Chain Compromise” (Wayfinder retroactive rule). If these alerts are not visible under default filters, switch the alert type from “EDR” to “All”, as these surface as Custom/STAR alerts.
• For each alert, review the Storyline and process tree. The typical chain looks like this:
  • Developer process (VS Code, Electron, Node, Yarn, npx) → node → setup.js under plain-crypto-js → curl download from sfrclak[.]com:8000/6202033 → OS-specific payload execution
• Classify the affected asset: developer workstation, CI/CD runner, or production server. This drives urgency. Shared CI runners imply wider blast radius because multiple teams and credential sets may be exposed.

Deep Visibility / Event Search hunts to run immediately:

Run hash hunts against consolidated IOC lists even if the global blocklist is already active. Historic hits help you quantify which systems were exposed and when.

Contain and Kill

For every system with confirmed Axios-related activity:

• Mark the Storyline as Threat in the SentinelOne Console. Confirm that remediation commands (Kill + Quarantine) executed successfully.
• Network-isolate the endpoint if the C2 connection succeeded (outbound to sfrclak[.]com or 142.11.206[.]73). Check for any secondary tooling or persistence beyond the initial RAT.
• Block at the perimeter. Add the following to your firewall, proxy, and DNS blocklists:
  • Domain: sfrclak[.]com
  • IP: 142.11.206[.]73
  • Port: 8000
• Check for persistence mechanisms:
  • Windows: Registry key “Microsoft Update” (used by the RAT for persistence), presence of 6202033.vbs or 6202033.ps1
  • macOS: Any process spawned from /Library/Caches/com.apple.act.mond, AppleScript execution from /var/folders/.../6202033
  • Linux: Active python3 processes running /tmp/ld.py, nohup wrappers

Credential Rotation and Dependency Cleanup

Assume every credential accessible from a confirmed-compromised endpoint is stolen. The RAT was built to harvest them.

Credential rotation checklist:

• npm access tokens (revoke and reissue)
• SSH keys (regenerate keypairs, update authorized_keys on all targets)
• CI/CD pipeline secrets (GitHub Actions secrets, GitLab CI variables, Jenkins credentials)
• Cloud provider keys (AWS access keys, GCP service account keys, Azure SPN secrets)
• API keys and .env file contents
• Git signing keys and code signing certificates if accessible from the endpoint

Dependency cleanup (all environments):

• Pin Axios to known-good versions: axios@1.14.0 (1.x branch) or axios@0.30.3 (legacy branch)
• Delete node_modules/plain-crypto-js/ wherever it exists
• Run npm cache clean --force (or equivalent for Yarn/pnpm) on all affected build environments
• Reinstall cleanly using npm ci --ignore-scripts during the cleanup period to prevent any other postinstall hooks from executing
• Audit your package-lock.json / yarn.lock / pnpm-lock.yaml for any reference to plain-crypto-js. Its presence in a lockfile is a forensic indicator that the compromised version was resolved, even if the malware self-deleted.

Harden and Validate

Policy hardening:

• Confirm Behavioral AI engine is set to Protect (On Execute), not Detect-only
• Confirm Documents & Scripts engine is set to Protect (On Execute)
• Review and remove any broad exclusions for node.exe, npm, yarn, python3, or developer IDEs
• Verify LSU (Live Security Updates) is enabled. Customers on Fed/OnPrem environments without LSU access should confirm they are on the latest Service Pack
• Confirm the SentinelOne agent is deployed on all developer workstations and CI/CD runners, not just production servers

Validation sweep:

• Run a full disk scan on every endpoint that was in the blast radius
• Verify no new users, services, or scheduled tasks were created during the exposure window
• Confirm that network blocks for C2 infrastructure are active and logging hits
• Re-run the Deep Visibility hunts from Hour 0-1 to verify no new activity has appeared

Key IOC Reference Card

Keep this card accessible for your team during the response.

Malicious packages:

C2 infrastructure:

File artifacts by OS:

RAT beacon behavior: HTTP POST every 60 seconds, Base64-encoded JSON, two-layer obfuscation (reversed Base64 + XOR with key OrDeR_7077, constant 333). The IE8/Windows XP User-Agent string is anachronistic and serves as a strong network-level detection indicator.

SentinelLABS Expanded Indicators:

The Structural Problem Is Bigger Than Axios

The progression from event-stream (2018, individual actor) to Shai-Hulud (2025, self-replicating worm across 500+ packages) to Axios (2026, DPRK state actor with multi-vendor attribution from SentinelOne, Google, and Microsoft) is not a series of isolated incidents. It is a clear escalation in adversary sophistication and strategic intent. North Korean threat actors stole $2.02 billion in cryptocurrency in 2025 alone, a 51% increase year-over-year, and the Axios RAT harvests exactly the credential types that feed that revenue pipeline.

Developer environments are now a Tier 1 attack surface. The organizations that treat them as anything less are operating with a structural blind spot that state-level adversaries have already mapped.

SentinelOne’s Autonomous Security Intelligence framework delivers what this moment requires: AI-native protection that detects and contains threats at machine speed, human expertise through Wayfinder MDR that translates alerts into confident action, and a unified platform that eliminates the fragmented visibility where supply chain attacks hide. When the next three-hour window opens, the question is whether your defense moves faster than the attacker. With SentinelOne, it does.

Disclaimer: All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third party.

Google links the Axios npm supply chain attack to North Korean threat group UNC1069, targeting financial gain.

Google has attributed the recent Axios npm supply chain compromise to a North Korean threat group tracked as UNC1069. The attack, aimed at financial gain, exploited the package to target developers and organizations relying on Axios.

John Hultquist of Google Threat Intelligence confirmed the attribution, highlighting the group’s growing activity in supply chain attacks.

“GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities.” reads the analysis by Google Threat Intelligence Group. “Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operations.”

Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads. They published malicious versions to spread remote access trojans across Linux, Windows, and macOS. Multiple security firms identified the supply chain attack after the rogue updates appeared in the npm registry.

Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman’s npm account.

“Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (plain-crypto-js) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux.” read the report published by Aikido Security.

The impact is unclear, but given Axios’ ~400M monthly downloads, many downstream projects may have been exposed during the brief attack window.

Socket researchers reported that a malicious package called plain-crypto-js@4.2.1 was published and detected within minutes, likely as part of a coordinated attack targeting Axios. Attackers inserted this dependency into two compromised Axios versions, allowing malware to spread through a trusted library used by millions of projects. Because many developers rely on automatic updates, affected versions could be installed without notice.

The malicious code was designed to stay hidden. It used obfuscation techniques to avoid detection and ran automatically during installation through a post-install script. Once executed, it checked the operating system (Windows, macOS, or Linux) and downloaded a second-stage payload tailored to each platform. In the case of macOS, researchers confirmed the delivery of a fully functional remote access trojan (RAT) capable of collecting system information, communicating with a command-and-control server, and executing commands.

“Security researcher Joe Desimone from Elastic Security captured and reverse-engineered the macOS second-stage binary before the C2 went offline. The payload is a fully functional remote access trojan written in C++.” reads the report published by Socket.

To avoid being discovered, the malware removed its own traces after running. It deleted installation files and restored clean-looking package content, making the infected library appear normal. The experts believe the attack was possible due to the compromise of a maintainer account, enabling unauthorized publishing of malicious updates.

Google’s Threat Intelligence Group (GTIG) and other researchers attribute the Axios npm supply chain attack to North Korean threat actor UNC1069, which has been active since at least 2023. SentinelOne previously observed the group using macOS malware, including attacks on a cryptocurrency firm with fake Zoom campaigns. Malware used in Axios mirrors WAVESHAPER, a strain tied to North Korean operations. Hultquist emphasized the group’s expertise in supply chain attacks and cryptocurrency theft.

WAVESHAPER.V2 is a versatile backdoor used by UNC1069, targeting macOS, Windows, and other environments via C++, PowerShell, or Python. It beacons to C2 every 60 seconds with Base64-encoded JSON, using a hardcoded User-Agent, then waits for commands. Capabilities include reconnaissance (system info, running processes), directory enumeration, script execution, and PE injection. On Windows, it persists via a hidden batch file and registry entry, acting as a full RAT with remote command execution and file system access.

“North Korea-linked threat actors “have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency.”

“The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” Hultquist said. 

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”

“The impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages rely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.” concludes Google. “Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Axios)

The post 183 Million Targets: Inside the North Korean Supply Chain Strike on Axios and the WAVESHAPER Backdoor appeared first on Daily CyberSecurity.

Threat actors hijacked the npm account of Axios to distribute RAT malware via malicious package updates.

Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads, and published malicious versions to spread remote access trojans across Linux, Windows, and macOS. The supply chain attack was identified by multiple security firms after the rogue updates appeared on the npm registry.

Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman’s npm account.

“Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (plain-crypto-js) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux.” read the report published by Aikido Security.

The impact is unclear, but given Axios’ ~400M monthly downloads, many downstream projects may have been exposed during the brief attack window.

Socket researchers reported that a malicious package called plain-crypto-js@4.2.1 was published and detected within minutes, likely as part of a coordinated attack targeting Axios. Attackers inserted this dependency into two compromised Axios versions, allowing malware to spread through a trusted library used by millions of projects. Because many developers rely on automatic updates, affected versions could be installed without notice.

The malicious code was designed to stay hidden. It used obfuscation techniques to avoid detection and ran automatically during installation through a post-install script. Once executed, it checked the operating system (Windows, macOS, or Linux) and downloaded a second-stage payload tailored to each platform. In the case of macOS, researchers confirmed the delivery of a fully functional remote access trojan (RAT) capable of collecting system information, communicating with a command-and-control server, and executing commands.

“Security researcher Joe Desimone from Elastic Security captured and reverse-engineered the macOS second-stage binary before the C2 went offline. The payload is a fully functional remote access trojan written in C++.” reads the report published by Socket.

To avoid being discovered, the malware removed its own traces after running. It deleted installation files and restored clean-looking package content, making the infected library appear normal. The experts believe the attack was possible due to the compromise of a maintainer account, enabling unauthorized publishing of malicious updates.

Given the huge number of Axios downloads, the potential impact is significant, even though the exposure window was relatively short.

Socket security researchers found two more packages spreading the same malware through hidden dependencies linked to Axios. The package @shadanai/openclaw included the malicious plain-crypto-js deep inside its code, using identical obfuscation, command-and-control infrastructure, and self-deleting behavior. Another package, @qqbrowser/openclaw-qbot, used a different method by bundling a tampered Axios version that silently installed the malicious dependency.

In both cases, the infection likely happened automatically when these projects pulled the compromised Axios release. This shows how a single poisoned dependency can quickly spread across many projects, especially with automated builds and fast package publishing pipelines.

To check if you’re affected by the Axios attack, verify if your project includes malicious versions (1.14.1 or 0.30.4) or the hidden plain-crypto-js package. Look for leftover files or RAT artifacts on macOS, Windows, or Linux systems. Even if some files were removed, traces may remain. Alternatively, use automated tools like Aikido to scan dependencies and quickly detect any compromised packages.

Both Socket and Aikido provided Indicators of compromise (IOCs) for this supply chain attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

Researchers found that compromised Axios versions installed a Remote Access Trojan.

Axios is a promise-based HTTP Client for node.js, basically a helper tool that developers use behind the scenes to let apps talk to the internet. For example, Axios makes requests such as “get my messages from the server” or “send this form to the website” easier and more reliable for programmers and it saves them from having to write a lot of low‑level networking code themselves.

Since it works both in the browser and on servers (Node.js), a lot of modern JavaScript‑based projects include it as a standard building block. Even if you never install Axios yourself, you might indirectly run into it when you:

• Use web apps built with frameworks like React, Vue, or Angular.
• Use mobile apps or desktop apps built with web technologies like Electron, React Native, and others.
• Visit smaller Software-as-a-Service (SaaS) tools, admin panels, or self‑hosted services built by developers who picked Axios.

You could compare it to the plumbing in your house. Usually you don’t notice the pipes, but they bring the water to where you open a faucet. And you don’t need to know where they are until a leak occurs.

What happened?

Using compromised credentials of a lead maintainer of Axios  an attacker published poisoned packages to npm: axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which is never imported anywhere in the axios source code. 

Together the two affected packages reach up to 100 million weekly downloads on npm, which means it has a huge impact radius across web apps, services, and pipelines.

It is important to note that the affected Axios version does not appear in the project’s official GitHub tags. This means that the people and projects affected are developers and environments which ran npm install that resolved to:

• axios@1.14.1 or axios@0.30.4, or
• the dependency plain-crypto-js@4.2.1.

Any workflow that installed one of those versions with scripts enabled may have exposed all injected secrets (cloud keys, repo deploy keys, npm tokens, etc.) to an interactive attacker, because the postinstall script (node setup.js) that runs automatically on npm install downloaded an obfuscated dropper that retrieves a platform‑specific RAT payload for macOS, Windows, or Linux.

If you are a developer deploying Axios, treat any machine that installed the bad versions as potentially fully compromised and rotate secrets. The attacker may have obtained repo access, signing keys, API keys, or other secrets that can be used to backdoor future releases or attack your backend and users.

Users apps built with Axios do not have any direct reason to worry. If you’re just loading your app in a browser you’re not directly executing this RAT via Axios. The infection path is the install/build step, not app runtime.

Indicators of Compromise (IOCs)

As the rsearchers pointed out the malware dropper cleans up after itself:

“Any post-infection inspection of node_modules/plain-crypto-js/package.json will show a completely clean manifest. There is no postinstall script, no setup.js file, and no indication that anything malicious was ever installed. Running npm audit or manually reviewing the installed package directory will not reveal the compromise.”

What you can look for, then, are these IOCs:

Domain: sfrclak[.]com

IP address: 142.11.206.73

(both blocked by Malwarebytes products)

Files:

• macOS: /Library/Caches/com.apple.act.mond
• Linux: /tmp/ld.py 
• Windows: %PROGRAMDATA%\wt and  %TEMP%\6202033.vbs/.ps1 which only exist briefly during execution

Malicious npm packages:

axios@1.14.1 sha-256 checksum: 2553649f2322049666871cea80a5d0d6adc700ca

axios@0.30.4 sha-256 checksum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71

plain-crypto-js@4.2.1 sha-256 checksum: 07d889e2dadce6f3910dcbc253317d28ca61c766

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The post Axios Under Siege: Critical npm Supply Chain Attack Hijacks Lead Maintainer to Drop Multi-Platform RAT appeared first on Daily CyberSecurity.