On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

It takes a single page load on a compromised Ukrainian government site, no tap, no download, no warning — and an iPhone running iOS 18.4 through 18.6.2 hands over its messages, photos, passwords, Telegram history, iCloud files, and cryptocurrency wallet keys to an attacker halfway across the world, then erases every trace of the intrusion within minutes.

That is DarkSword. And it has already spread to at least four countries.

On Wednesday, Google Threat Intelligence Group (GTIG), mobile security firm Lookout and device integrity company iVerify published coordinated research disclosing a new iOS full-chain exploit kit they named DarkSword — a name taken directly from a variable buried inside the malware's own code: const TAG = "DarkSword-WIFI-DUMP". The three organizations collaborated across separate discovery threads, with each contributing distinct pieces of a deeply alarming picture.

DarkSword in the Hands of Spyware Vendors and State Actors

GTIG tracked DarkSword deployments since at least November 2025, identifying multiple distinct threat actors — including commercial surveillance vendors and suspected state-sponsored groups — deploying the same exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The chain leverages six vulnerabilities across iOS 18.4 through 18.7, and all six have now been patched in iOS 26.3, though most arrived in earlier updates. Apple was notified by GTIG in late 2025.

Studying the Exploit Chain

The exploit chain's entry point for Ukrainian targets sits inside two compromised websites, novosti[.]dn[.]ua, a news portal, and 7aac[.]gov[.]ua, a Ukrainian government domain. Both sites contained an invisible malicious iframe injected by attackers, which silently loaded exploit code hosted on a server in Estonia. That server only delivered the payload to devices having Ukrainian IP addresses — a deliberate geofencing technique that reduces exposure, frustrates researchers, and increases the operational window before detection.

Once Safari loaded the iframe, DarkSword executed a disciplined, multi-stage attack entirely in JavaScript — a design choice that is itself significant. There is no binary implant, no Mach-O library injected into processes, no traditional malware artifact that endpoint detection logic would expect to find.

The chain breaks out of WebKit's WebContent sandbox, uses WebGPU to inject into a background media process called mediaplaybackd, builds arbitrary kernel read-write access from there, and then uses that access to lift sandbox restrictions across the device's most privileged processes — including configd, wifid, securityd, and UserEventAgent.

The final payload orchestrator, pe_main.js, then injects targeted data-theft modules into each of these processes before staging everything in accessible filesystem locations and exfiltrating the complete collection to a command-and-control server. The staged files are then deleted and the process exits cleanly.

The entire dwell time on a victim device measures in minutes. GTIG has identified three distinct malware families delivered following successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER.

What DarkSword steals covers almost every surface of a modern iPhone. SMS and iMessage content, call history, address book, WiFi passwords, Safari browsing history and cookies, location history, health data, photos, iCloud Drive, emails, saved passwords, WhatsApp and Telegram message histories, and the complete list of installed applications.

Most unusually for a state-adjacent espionage tool, DarkSword specifically targets cryptocurrency wallets like Coinbase, Binance, Kraken, Kucoin, Ledger, Trezor, MetaMask, and Exodus, among others. Lookout assesses this as evidence of a financially motivated dimension to the threat actor's operations, distinct from conventional cyber espionage.

The Six Vulnerabilities Underneath DarkSword

DarkSword's power derives from chaining six distinct flaws across different layers of iOS, each one unlocking the next stage of access.

The remote code execution stage exploited two memory corruption vulnerabilities in JavaScriptCore — the JavaScript engine that powers WebKit and Safari. The first, CVE-2025-31277, formed the foundation of the earliest observed DarkSword deployments targeting iOS 18.4 and 18.5.

A second JavaScriptCore memory corruption bug, CVE-2025-43529, was added in a later iteration of the kit targeting iOS 18.6, giving operators redundant entry points across a wider version range. Both bugs enable an attacker to corrupt memory through a malicious webpage alone, requiring no interaction from the victim beyond the page load itself.

Alongside either RCE exploit, DarkSword chains CVE-2026-20700, a Pointer Authentication Code (PAC) bypass in dyld — the dynamic linker responsible for loading code into Apple processes. PAC is a hardware-level security feature Apple introduced specifically to prevent attackers from hijacking code execution; bypassing it is a prerequisite for the deeper access DarkSword achieves. The remaining three vulnerabilities handle the sandbox escape and privilege escalation stages, progressively dismantling iOS security boundaries until the attacker holds unrestricted kernel read-write access across the entire device.

Apple addressed the vulnerabilities on a rolling basis rather than in a single emergency patch, reflecting the staggered pace at which researchers discovered each flaw. CVE-2025-31277 and CVE-2025-43529 received fixes in iOS 26.1 and iOS 26.2 respectively, while CVE-2026-20700 and the remaining privilege escalation vulnerabilities were closed with iOS 26.3.

The final complete remediation, covering all six DarkSword vulnerabilities, landed in iOS 18.7.3 for devices on the iOS 18 branch. The gap between the earliest known DarkSword deployment in November 2025 and the final patch in iOS 26.3 represents a window of roughly four months during which the full chain operated against unpatched devices.

The Evolution of DarkSword Under Various Threat Actors

The infrastructure analysis by Lookout revealed an important link to a prior campaign. The delivery domain cdncounter[.]net shares nameservers, registrar, registration date, and IP resolution overlap with uacounter[.]com, a domain GTIG previously tied to UNC6353 — a suspected Russian espionage group that also used the earlier Coruna iOS exploit kit against Ukrainian targets. The same Ukrainian government domain that hosted DarkSword delivery code had previously distributed Coruna. GTIG has now observed UNC6353 incorporating DarkSword into its watering hole campaign repertoire alongside its previous toolkit.

Also read: How Russia-Linked Spies Turned Everyday Websites into Surveillance Traps aka ‘Watering Hole’

Perhaps the most significant finding across all three research publications is not the sophistication of any single vulnerability, but what the proliferation of DarkSword across multiple unrelated threat actors reveals about the commercial exploit market. Code comments written in Russian appear in the early infrastructure stages; code in subsequent exploit stages switches to English — consistent with a tool built by one developer and sold or transferred to multiple buyers. References to iOS 17.4.1 and 17.5.1 in portions of the code indicate this kit evolved from an earlier version, suggesting an ongoing commercial development and distribution pipeline rather than a one-time build.

Lookout states the threat actor likely gained access to an exploit and post-exploitation toolkit built by a third party. The nation-state grade iOS zero-day chains, which were once assumed exclusive to Tier 1 commercial surveillance vendors supplying governments, now circulate in a secondary market accessible to actors with narrower resources and mixed motives, including financial crime.

Devices running iOS 18.7.3 or iOS 26.3 and later are not vulnerable. Google has added DarkSword delivery domains to Safe Browsing. For devices that cannot be updated immediately, Apple's Lockdown Mode reduces the available attack surface.