On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments. The malicious versions were live for approximately three hours. An estimated 600,000 downloads occurred during that window with no user interaction required beyond a routine npm install.
SentinelOne protects against this attack, demonstrating why autonomous, layered defense at machine speed is not optional when adversaries operate at this velocity. In this attack, the first infection was observed 89 seconds after publication. At that pace, manual workflows do not have a response window. They have a spectator seat.
For SentinelOne’s customers and partners, here’s a quick overview of the compromise, SentinelOne’s response, and steps you can take to further protect your environment.
What Happened: The Anatomy of a State-Level Supply Chain Weapon
The attacker, tracked as UNC1069 by Google Threat Intelligence and Sapphire Sleet by Microsoft, compromised maintainer credentials and published [email protected] (tagged “latest”) and [email protected] (tagged “legacy”). Each version introduced a single new dependency: [email protected], a purpose-built trojan. The malicious package’s postinstall hook silently deployed a cross-platform RAT communicating over HTTP to C2 infrastructure at sfrclak[.]com (142.11.206[.]73), commonly being referred to as WAVESHAPER.V2.
The operational sophistication was striking. The attacker pre-staged a clean version of plain-crypto-js 18 hours before detonation to evade novelty-based detection. Publication occurred just after midnight UTC on a Sunday to maximize the response window. The malware self-deleted after execution, swapping its malicious package.json for a clean stub, leaving forensic evidence only in lockfiles and audit logs.
Most critically, Axios had adopted OIDC Trusted Publishing, the post-Shai-Hulud hardening measure npm promoted as the solution to credential-based attacks. But the OIDC configuration coexisted with a long-lived npm access token. npm’s authentication logic prioritizes environment variable tokens over OIDC when both are present. The attacker stole the legacy token and bypassed every modern control the project had in place.
The issue is architectural: security controls that coexist with the mechanisms they are meant to replace provide a false sense of protection. Axios had Trusted Publishing, SLSA provenance, and GitHub Actions workflows. None of it mattered because the old key was still under the mat.
How SentinelOne Is Protecting Customers
Behavioral Detection via the Lunar Engine
SentinelOne’s Lunar behavioral engine detects the renamed binary execution technique central to the Windows attack chain, in which PowerShell is copied to %PROGRAMDATA%\wt.exe and executed under a disguised process. The RenamedBinExecution logic catches this behavior regardless of the specific payload hash, providing durable detection against variants.
Global Hash Blocklist
All known stage payloads, malicious npm package tarballs, and RAT binaries across Windows, macOS, and Linux have been added to the SentinelOne Cloud blocklist with a globally blocked reputation status. This provides immediate protection for all customers with cloud-connected agents.
Wayfinder Threat Hunting
The Wayfinder Threat Hunting team executed proactive hunts across all MDR regions and operating systems using Axios-specific IOCs, including DNS queries to sfrclak[.]com, file artifacts (com.apple.act.mond, /tmp/ld.py, wt.exe), and consolidated hash sets. All true positive findings generate console alerts, with MDR customers receiving direct analyst engagement and escalation.
Sustained Research on This Threat Actor
SentinelLabs has tracked BlueNoroff, the DPRK-linked threat cluster with significant overlap to UNC1069, across multiple campaigns targeting macOS and credential theft operations. The WAVESHAPER.V2 macOS binary recovered from the Axios compromise carries the internal project name “macWebT,” a direct lineage marker to BlueNoroff’s documented webT module. SentinelLabs published detailed analysis of this tooling family in 2023 when RustBucket first emerged as a macOS-targeted campaign, and again in 2024 when BlueNoroff shifted to fake cryptocurrency news as a delivery mechanism with novel persistence techniques.
- BlueNoroff: How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
- BlueNoroff Hidden Risk: Threat Actor Targets Macs with Fake Crypto News and Novel Persistence
The initial access vector matters here, too. In March 2026, Google Threat Intelligence reported that UNC1069 leverages ClickFix, a social engineering technique that weaponizes user verification fatigue, as an initial access vector for credential harvesting. SentinelLabs had already published a detailed analysis of ClickFix techniques and their use in delivering RATs and infostealers before Google’s attribution dropped.
The behavioral detections that caught the Axios compromise were built on this accumulated intelligence, not written after the fact.
Live Security Updates (LSU)
Customers with LSU enabled receive real-time detection updates without waiting for agent releases, ensuring coverage evolves as fast as the threat intelligence does. This is critical for rapidly evolving supply chain campaigns where new IOCs emerge hourly.
What You Should Do Now
Supply chain compromise exploits the inherent trust enterprises place in their software delivery infrastructure. When that trust is weaponized by a state-level actor, the response must be both immediate and structural.
- Audit and contain. Search all environments for
[email protected]and[email protected]. Treat any system that installed either version during the exposure window as fully compromised. Rebuild from known-good images rather than attempting in-place cleanup. - Rotate every credential the endpoint could reach. npm tokens, SSH keys, CI/CD secrets, cloud provider keys, and API tokens accessible from impacted systems must be rotated immediately. The RAT was designed to harvest exactly these credential types.
- Pin dependencies and enforce lockfiles. Use
npm ci(notnpm install) in all CI/CD pipelines. Commit and audit lockfiles. Organizations using strict lockfile discipline were protected even during the three-hour exposure window. This is the single most actionable control. - Eliminate legacy npm tokens. Inventory all long-lived tokens across the organization. Migrate to OIDC Trusted Publishing and revoke legacy tokens entirely. Do not leave them as fallbacks. The coexistence of old and new authentication is what this attack exploited.
- Harden detection policy. Ensure Behavioral AI and Documents & Scripts engines are set to Protect (On Execute). Avoid broad exclusions for developer tools like
node.exeornpm. Enable LSU for real-time detection updates. - Extend endpoint coverage to developer workstations and CI runners. These environments have access to production secrets, deployment credentials, and code signing infrastructure. They are typically less monitored than production servers. DPRK has recognized this asymmetry and is systematically exploiting it.
- Hunt proactively. Use Deep Visibility to search for DNS queries to
sfrclak[.]com, connections to142.11.206[.]73, and the presence ofplain-crypto-jsin anynode_modulesdirectory. SentinelOne’s 2025 Annual Threat Report documents how supply chain attacks are part of a broader pattern where adversaries are “shifting left” to subvert the build process itself, compromising software before it ever reaches production.
Practitioner Investigative Guide
In addition to the strategic recommendations above, here are some specific queries, file paths, and commands you can execute now to protect your environment.
Determine Blast Radius
Your first job is to answer one question: did any system in my environment pull a compromised Axios version during the March 31 exposure window (00:21 – 03:25 UTC)?
In the SentinelOne Console:
- Open the Wayfinder alert queue. Look for the alert name “Axios NPM Supply Chain Compromise” (Wayfinder retroactive rule). If these alerts are not visible under default filters, switch the alert type from “EDR” to “All”, as these surface as Custom/STAR alerts.
- For each alert, review the Storyline and process tree. The typical chain looks like this:
- Developer process (VS Code, Electron, Node, Yarn, npx) →
node→setup.jsunderplain-crypto-js→curldownload fromsfrclak[.]com:8000/6202033→ OS-specific payload execution
- Developer process (VS Code, Electron, Node, Yarn, npx) →
- Classify the affected asset: developer workstation, CI/CD runner, or production server. This drives urgency. Shared CI runners imply wider blast radius because multiple teams and credential sets may be exposed.
Deep Visibility / Event Search hunts to run immediately:
| What You’re Looking For | Query Pattern |
| C2 DNS resolution | #dns contains:anycase 'sfrclak.com' |
| C2 IP connection | #ip contains '142.11.206.73' |
| Malicious dependency on disk | File path contains
|
| macOS RAT binary | File path: /Library/Caches/com.apple.act.mond |
| Linux loader | File path: /tmp/ld.py |
| Windows payload | File path: %PROGRAMDATA%\wt.exe |
| Renamed PowerShell execution | Lunar detection: RenamedBinExecution |
Run hash hunts against consolidated IOC lists even if the global blocklist is already active. Historic hits help you quantify which systems were exposed and when.
Contain and Kill
For every system with confirmed Axios-related activity:
- Mark the Storyline as Threat in the SentinelOne Console. Confirm that remediation commands (Kill + Quarantine) executed successfully.
- Network-isolate the endpoint if the C2 connection succeeded (outbound to
sfrclak[.]comor142.11.206[.]73). Check for any secondary tooling or persistence beyond the initial RAT. - Block at the perimeter. Add the following to your firewall, proxy, and DNS blocklists:
- Domain:
sfrclak[.]com - IP:
142.11.206[.]73 - Port:
8000
- Domain:
- Check for persistence mechanisms:
- Windows: Registry key “Microsoft Update” (used by the RAT for persistence), presence of
6202033.vbsor6202033.ps1 - macOS: Any process spawned from
/Library/Caches/com.apple.act.mond, AppleScript execution from /var/folders/.../6202033 - Linux: Active
python3processes running/tmp/ld.py,nohupwrappers
- Windows: Registry key “Microsoft Update” (used by the RAT for persistence), presence of
Credential Rotation and Dependency Cleanup
Assume every credential accessible from a confirmed-compromised endpoint is stolen. The RAT was built to harvest them.
Credential rotation checklist:
- npm access tokens (revoke and reissue)
- SSH keys (regenerate keypairs, update
authorized_keyson all targets) - CI/CD pipeline secrets (GitHub Actions secrets, GitLab CI variables, Jenkins credentials)
- Cloud provider keys (AWS access keys, GCP service account keys, Azure SPN secrets)
- API keys and
.envfile contents - Git signing keys and code signing certificates if accessible from the endpoint
Dependency cleanup (all environments):
- Pin Axios to known-good versions:
[email protected](1.x branch) or[email protected](legacy branch) - Delete
node_modules/plain-crypto-js/wherever it exists - Run
npm cache clean --force(or equivalent for Yarn/pnpm) on all affected build environments - Reinstall cleanly using
npm ci --ignore-scriptsduring the cleanup period to prevent any other postinstall hooks from executing - Audit your
package-lock.json/yarn.lock/pnpm-lock.yamlfor any reference toplain-crypto-js. Its presence in a lockfile is a forensic indicator that the compromised version was resolved, even if the malware self-deleted.
Harden and Validate
Policy hardening:
- Confirm Behavioral AI engine is set to Protect (On Execute), not Detect-only
- Confirm Documents & Scripts engine is set to Protect (On Execute)
- Review and remove any broad exclusions for
node.exe,npm,yarn,python3, or developer IDEs - Verify LSU (Live Security Updates) is enabled. Customers on Fed/OnPrem environments without LSU access should confirm they are on the latest Service Pack
- Confirm the SentinelOne agent is deployed on all developer workstations and CI/CD runners, not just production servers
Validation sweep:
- Run a full disk scan on every endpoint that was in the blast radius
- Verify no new users, services, or scheduled tasks were created during the exposure window
- Confirm that network blocks for C2 infrastructure are active and logging hits
- Re-run the Deep Visibility hunts from Hour 0-1 to verify no new activity has appeared
Key IOC Reference Card
Keep this card accessible for your team during the response.
Malicious packages:
| Package | SHA-1 |
[email protected] |
2553649f2322049666871cea80a5d0d6adc700ca |
[email protected] |
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 |
[email protected] |
07d889e2dadce6f3910dcbc253317d28ca61c766 |
C2 infrastructure:
| Indicator | Value |
| Domain | sfrclak[.]com |
| IP | 142.11.206[.]73 |
| Port | 8000 |
| URL pattern | hxxp[://]sfrclak[.]com:8000/6202033 |
| RAT User-Agent | mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) |
File artifacts by OS:
| OS | Artifact | Path |
| macOS | RAT binary | /Library/Caches/com.apple.act.mond |
| macOS | Temp script | /var/folders/.../6202033 |
| Windows | Renamed PowerShell | %PROGRAMDATA%\wt.exe |
| Windows | Stage 1 | system.bat |
| Windows | Stage 2 | 6202033.ps1 |
| Windows | VBS launcher | 6202033.vbs |
| Linux | Python loader | /tmp/ld.py |
RAT beacon behavior: HTTP POST every 60 seconds, Base64-encoded JSON, two-layer obfuscation (reversed Base64 + XOR with key OrDeR_7077, constant 333). The IE8/Windows XP User-Agent string is anachronistic and serves as a strong network-level detection indicator.
SentinelLabs Expanded Indicators:
| Indicator | Value | Note |
| nrwise@proton[.]me | Involved in supply chain compromise. | |
| ifstap@proton[.]me | Involved in supply chain compromise. | |
| Domain | callnrwise[.]com | Domain overlaps with email scheme and infrastructure design from confirmed C2 domain. |
| Domain | focusrecruitment[.]careers | Overlapping domain registration details and timeline. Medium Confidence |
| Domain | chickencoinwin[.]website | Overlapping domain registration details and timeline. Medium Confidence |
The Structural Problem Is Bigger Than Axios
The progression from event-stream (2018, individual actor) to Shai-Hulud (2025, self-replicating worm across 500+ packages) to Axios (2026, DPRK state actor with multi-vendor attribution from SentinelOne, Google, and Microsoft) is not a series of isolated incidents. It is a clear escalation in adversary sophistication and strategic intent. North Korean threat actors stole $2.02 billion in cryptocurrency in 2025 alone, a 51% increase year-over-year, and the Axios RAT harvests exactly the credential types that feed that revenue pipeline.
Developer environments are now a Tier 1 attack surface. The organizations that treat them as anything less are operating with a structural blind spot that state-level adversaries have already mapped.
SentinelOne’s Autonomous Security Intelligence framework delivers what this moment requires: AI-native protection that detects and contains threats at machine speed, human expertise through Wayfinder MDR that translates alerts into confident action, and a unified platform that eliminates the fragmented visibility where supply chain attacks hide. When the next three-hour window opens, the question is whether your defense moves faster than the attacker. With SentinelOne, it does.
Disclaimer: All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third party.
