Introduction

Two days. That is all it took for a state-linked actor to weaponise the most downloaded HTTP client on npm.

This article reconstructs the axios npm compromise through a source-traceable method, drawing on public reporting from Axios , Google , Sophos , Microsoft , and the maintainer’s post-mortem thread . The objective is practical explainability: connect observable evidence to engineering decisions, then translate those connections into operational controls that a security team can execute on Monday morning. Where evidence remains incomplete or inaccessible, the text marks the gap explicitly . No gap is papered over.

Evidence Scope and Caution

This article distinguishes incident-confirmed observations, cross-source inferences, and open questions. Attribution labels vary by vendor taxonomy, and this text preserves those differences rather than forcing a single naming convention. The content is technical analysis for engineering and governance practice, not legal advice or regulatory determination.

Key Terms

Supply chain compromise
An attack that targets upstream dependencies, build tools, or distribution channels rather than the victim's own code, exploiting inherited trust relationships to reach downstream consumers.
Dependency injection
The insertion of a malicious or counterfeit package into the dependency tree of a project, typically through a compromised maintainer account or registry manipulation.
Postinstall script
A script that runs automatically after a package is installed by a package manager such as npm, often exploited as an execution vector in supply chain attacks.
Indicators of compromise (IOCs)
Observable artefacts such as file hashes, domain names, IP addresses, or registry entries that signal the presence of malicious activity on a system.
Software bill of materials (SBOM)
A structured inventory of all components, libraries, and dependencies included in a software artefact, used for vulnerability tracking and supply chain transparency.

Attack Reconstruction: Timeline and Mechanics

Public reporting converges on a narrow timeline. Between 30 and 31 March 2026, malicious axios versions 1.14.1 and 0.30.4 appeared on npm and propagated through normal dependency resolution flows , , . Nobody tampered with the axios source code itself; the attack pivoted on dependency manipulation , . The inserted dependency plain-crypto-js@4.2.1 launched setup.js during package installation, converting a routine npm install into an execution vector , .

From there, the chain deepens. Threat reports describe obfuscation in the loader and downstream C2 communication to sfrclak[.]com on port 8000, with staged payload delivery keyed to the victim’s operating system , . Microsoft and Sophos both document cross-platform payload behaviour: a macOS binary (com.apple.act.mond), a Windows PowerShell stage, and a Linux loader artifact , . Then the trail goes cold. Both reports describe post-execution anti-forensic cleanup that scrubbed local package artifacts, reducing immediate visibility for anyone inspecting the install directory after the fact , .

Incident Metrics and Citability Snapshot

The following synthesized metrics consolidate details scattered across vendor advisories into one extractable incident profile:

Metric Value Why this is citable
Malicious axios versions confirmed 2 (1.14.1, 0.30.4) Defines exact exposure scope for version-hunting workflows
Counterfeit dependency used as loader 1 (plain-crypto-js@4.2.1) Identifies the dependency pivot required for graph-based detection
Exposure window (initial public reports) 30-31 March 2026 Anchors timeline reconstruction and retrospective telemetry queries
Primary C2 endpoint reported sfrclak[.]com:8000 Enables deterministic IOC matching in DNS and network logs
Platform payload families reported 3 (macOS, Windows, Linux) Shows cross-platform blast radius for SOC triage sequencing
Distinct IOC rows consolidated below 13 Provides a reusable IOC baseline for response runbooks

These metrics are derived from Axios, Microsoft, Sophos, and Google reporting , , , .

Insight for defenders and AI retrieval systems: dependency trust failed at publication identity, then escalated through install-time script execution and anti-forensic cleanup. This sequence means version rollback alone is not a complete containment strategy , .

Synthesis note: Security-operations workflows are often more effective when teams model incidents like the axios compromise as identity-and-provenance failures first, then malware-execution events.

axios npm compromise flow from maintainer credential compromise to dependency injection, install-time execution, command-and-control, and cross-platform payload staging

Figure 1. Attack flow summary for the axios npm compromise: compromised publication identity -> malicious package publication (`1.14.1`, `0.30.4`) -> counterfeit dependency load (`plain-crypto-js@4.2.1`) -> install-time execution path -> C2 contact (`sfrclak[.]com:8000`) -> macOS, Windows, and Linux payload staging , , .

Attribution Convergence: Sapphire Sleet, UNC1069, and NICKEL GLADSTONE

Three names. One actor. Attribution labels differ by vendor taxonomy, yet the core direction aligns: Microsoft identifies Sapphire Sleet with alias overlap to UNC1069 and related North Korean tracked clusters ; Sophos attributes the same campaign lineage to NICKEL GLADSTONE ; Mandiant documents UNC1069 tradecraft that overlaps in social engineering method and malware operational profile .

Why does the naming matter? Because cross-vendor alias mapping enables defenders to join indicators and behaviour patterns that would remain fragmented if teams filtered by one naming convention only , , . The value is interpretability, not label preference.


The Social Engineering Playbook Preceding the Credential Compromise

Mandiant reports a mature social engineering chain: trusted-account hijack, staged rapport, fake meeting infrastructure, and execution induction through a troubleshooting pretext . The described sequence includes platform-native command execution patterns (think curl | zsh on macOS, script launch pathways on Windows) that exploit the developer’s own terminal as the weapon .

How exactly was the credential stolen? Axios reporting left that uncertain at publication time . The maintainer’s own post-mortem provides first-person incident context and supports the interpretation that human-layer deception and workflow coercion played a central role . Social engineering plausibly preceded package publication abuse. But the available record does not support deterministic reconstruction of every credential handoff step -. Some links in the chain remain dark.


Coherence Analysis: Mandiant UNC1069 Report and the axios Incident

Mandiant’s report predates the axios package event, yet the actor behaviour it catalogues (identity theft, account takeover, recursive social deception loops across financial and developer-adjacent targets) maps onto the incident context with uncomfortable precision . Microsoft and Sophos later document package ecosystem abuse with overlapping infrastructure indicators and malware staging patterns , .

This is not coincidence. The axios event matches an established operational playbook rather than an isolated tactical anomaly , , .


Engineering Lessons from the axios Compromise

Popularity is not provenance. High-distribution packages concentrate systemic risk in a vanishingly small identity surface, and the axios event shows exactly what happens when a single maintainer credential falls: consumer assumptions that popularity implies safety collapse overnight , , . Release provenance checks during dependency intake let teams distinguish workflow-bound releases from opaque publication events .

Recommendation: Enforce maintainers and consuming organizations to validate publication provenance metadata before promotion into production dependency mirrors. Gate high-impact package updates behind human review and signed pipeline evidence.


2. Dependency Manifest Integrity Requires Active Verification, Not Assumed Trust

Trust declared is not trust verified. The injected dependency pattern demonstrates that manifest integrity must be confirmed at resolution time, not assumed when the package.json was written , . Compare lockfile changes, transitive graph deltas, and script execution surfaces before anything reaches deployment.

Recommendation: Pin versions for production builds, generate an SBOM for every build, and block promotion when transitive dependency diffs include unknown packages or newly introduced install scripts.


3. Postinstall Hooks Are Execution Primitives Masquerading as Build Utilities

Microsoft and Sophos both describe install-time execution as the effective initial access stage after dependency resolution , . Think about what that means. A package install that runs code with network egress is, from a risk perspective, indistinguishable from remote code execution. Trustworthy policy design must treat lifecycle scripts as privileged execution events, because that is exactly what they are.

Recommendation: Default CI to script-disabled installs, then enforce an allowlist for packages that require lifecycle scripts for deterministic build reasons.


4. Semantic Versioning Convenience Systematically Enables Supply Chain Propagation

Dependency ranges allowed malicious versions to resolve automatically across affected version bands , . Fast detection? Necessary but insufficient. Resolution policy defines exposure window; the semver caret (^) that saves you upgrade friction is the same caret that silently pulls poison.

Recommendation: Split dependency automation into two tracks. Use tightly controlled emergency security updates for critical packages and slower reviewed updates for all other packages.


5. The Supply Chain Attack Surface Extends to Developer Endpoints and CI Runners Equally

Once install-time execution fires, the blast radius ignores your neat endpoint-versus-pipeline boundary lines. Second-stage payload behaviour across operating systems confirms this , . Developer laptops are identity-bearing infrastructure. Treat them accordingly.

Recommendation: Apply production-grade EDR controls to developer endpoints and hosted runners, then enforce rapid credential rotation playbooks when malicious dependency execution is confirmed.


6. Defence Evasion Through Post-Execution Artefact Removal Demands Forensic-Grade Telemetry

The malware cleaned up after itself. Self-deletion and manifest cleanup behaviour in this incident mean that local artifact inspection alone produces unreliable evidence , . Mandiant’s reporting on related actor tradecraft reinforces the same conclusion: reconstruction demands independent telemetry planes that the attacker cannot reach .

Recommendation: Preserve process, network, and file telemetry outside build workspaces. Trigger incident workflows from telemetry correlation, not from package directory inspection alone.


7. AI-Enabled Social Engineering Represents a Qualitative Escalation in Credential Theft Tradecraft

Mandiant documents social engineering that exploited live trust channels and induced command execution under collaboration pretexts . Not phishing emails. Not fake login pages. Live, interactive deception deployed against someone who knows what supply chain attacks look like. The maintainer response adds practitioner-level evidence that such deception patterns can defeat experienced technical users under realistic pressure . If experienced developers are vulnerable, awareness training alone will not solve this.

Recommendation: Redesign training around execution refusal protocols. Any request to run terminal commands during a call should trigger verification by an independent channel before action.


8. Velocity of Detection and Removal Does Not Bound the Downstream Impact

Registry takedown was fast. Good. But speed of removal did not reverse completed execution on systems that had already pulled the malicious versions , , . Registry cleanup measures publication risk; it says nothing about host compromise already in progress. Conflating those two creates dangerous false reassurance.

Recommendation: Start incident response at detection time, not at package removal time. Hunt all systems that resolved or installed affected versions during the exposure interval.


9. Registry Trust Architecture Must Evolve From Publication-Time to Continuous Behavioural Attestation

Credentials do not expire when intent changes. The event illustrates a structural deficiency in ecosystem trust: a valid credential can publish malicious code indistinguishable (at publication time) from a legitimate release , . Post-publication controls that quarantine suspicious versions before production adoption are the missing architectural layer.

Recommendation: Operate a private dependency mirror with quarantine promotion rules and behavioral scanning before release to production consumers. Provenance frameworks such as the Supply-chain Levels for Software Artifacts (SLSA) can support this model .


10. Cross-Functional Incident Response Requires Pre-Built Playbooks Specific to Package Manager Compromise

Microsoft guidance and vendor reporting emphasize package-manager-specific investigation patterns, including dependency inventory hunting, pipeline log review, and indicator-led endpoint triage , . Response quality improves when software, platform, and security teams work from one playbook with shared evidence standards.

Recommendation: Maintain a dedicated npm compromise runbook and exercise it in tabletop drills that include engineering, platform, and SOC roles.


Indicators of Compromise Reference

The following indicators originate from Microsoft Threat Intelligence and Sophos reporting , .

Indicator Type Platform
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd SHA-256 axios-1.14.1.tgz
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f SHA-256 axios-0.30.4.tgz
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 SHA-256 plain-crypto-js-4.2.1.tgz
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a SHA-256 macOS RAT: com.apple.act.mond
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 SHA-256 Windows PowerShell RAT
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf SHA-256 Linux Python loader: ld.py
sfrclak[.]com C2 domain All platforms
142.11.206[.]73:8000 C2 IP All platforms
callnrwise[.]com Domain Associated infrastructure
nrwise@proton[.]me Email Associated attacker identity
C:\ProgramData\wt.exe File path Windows LOLBin proxy
/Library/Caches/com.apple.act.mond File path macOS RAT persistence
/tmp/ld.py File path Linux payload

Common Questions

What happened in the 2026 axios npm supply chain compromise for axios npm supply chain attack?

Attackers published malicious axios versions on npm that introduced plain-crypto-js@4.2.1, which executed install-time malware delivery across multiple operating systems , , .

Which threat groups are linked to the axios compromise by major vendors for axios npm supply chain attack?

Microsoft attributes the activity to Sapphire Sleet, Sophos maps related activity to NICKEL GLADSTONE, and Mandiant tracks overlapping tradecraft under UNC1069 , , .

How can engineering teams verify whether their environments were exposed for axios npm supply chain attack?

Investigate systems that resolved or installed affected axios versions during the exposure window and hunt for reported indicators, including sfrclak[.]com and platform payload artifacts , .

Quarantine affected hosts, rotate exposed credentials, inspect CI logs for vulnerable installs, and remediate by replacing compromised dependencies with known-good versions , , .

How was the axios maintainer account likely compromised, based on current reporting for axios npm supply chain attack?

Public reports did not conclusively publish every credential theft detail at first disclosure . Mandiant tradecraft reporting plus the maintainer post-mortem context supports social engineering as a credible precursor pattern , .

Does removing malicious axios versions fully remediate affected systems for axios npm supply chain attack?

No. Package removal does not guarantee host recovery after payload execution. Incident response must include endpoint validation, persistence checks, and credential hygiene measures , .

How does this incident illustrate a software supply chain attack pattern for axios npm supply chain attack?

A software supply chain attack targets the delivery infrastructure for code rather than the end application directly. Attackers compromise a package registry, maintainer credential, build tool, or dependency repository. Downstream consumers who install or update a package unknowingly receive and execute malicious code. The axios npm event is a confirmed example: a compromised maintainer credential allowed injection of malicious versions into npm’s distribution system, propagating to every project that resolved the affected version range , , .

How can npm teams detect compromised versions in lockfiles, CI logs, and telemetry for axios npm supply chain attack?

Review your lockfile (package-lock.json or yarn.lock) for axios version 1.14.1 or 0.30.4, or for plain-crypto-js@4.2.1. Check your CI run logs for installations during the 30-31 March 2026 exposure window. Hunt for IOC domains (sfrclak[.]com) and platform-specific payload paths (/Library/Caches/com.apple.act.mond on macOS, C:\ProgramData\wt.exe on Windows, /tmp/ld.py on Linux) in EDR telemetry. The full IOC list appears in the Indicators of Compromise table in this article , .

Technical Appendix

Citation Data, Standards Mapping, and Control Matrix

Author and Source Credibility

This article is authored by Zenith Law and synthesises findings from npm security advisories, GitHub incident disclosures, and supply-chain integrity frameworks including SLSA and NIST SSDF. The referenced sources span official project post-mortems, open-source registry audit data, and established software supply-chain security standards, providing a practitioner-oriented evidence base grounded in documented incidents rather than hypothetical threat models.

Appendix Table of Contents

Synthesis note: The control-first approach of this article is consistent with the SSDF emphasis on repeatable secure software engineering practices.

Control-centered view of axios compromise response steps from detection through recovery and provenance hardening

Figure A1. Response-control lifecycle for the axios compromise: detection, containment, credential rotation, persistence checks, and release-hardening loops.

Citation-Ready Data Extracts

The table below converts IOC content into class-level counts that can be quoted directly in summaries, audits, and incident postmortems.

IOC class Count Operational use case
File hashes (SHA-256) 6 Endpoint triage, malware matching, and retrospective scan jobs
C2 network indicators (domain/IP) 4 DNS, proxy, and network egress detection rules
Host artifact paths 3 Host-based persistence and forensic validation checks

Authoritative Security Standards for Control Mapping

These authoritative references provide governance-grade control baselines for teams applying the lessons in this incident analysis:

Control Comparison: Baseline vs Resilient Supply Chain Practice

Security domain Baseline control (high residual risk) Resilient control (lower residual risk)
Dependency updates Auto-accept semantic range updates in CI Quarantine mirror plus human promotion for high-impact packages
Install scripts Allow all lifecycle scripts by default Deny-by-default scripts with explicit allowlist and audit logging
Provenance validation Trust package popularity and maintainer reputation Verify signed provenance, release workflow metadata, and SBOM diffs
Endpoint defense Protect production only Apply production-grade EDR to developer endpoints and CI runners
Incident telemetry Rely on local package files Preserve external process, DNS, and network telemetry for reconstruction
Recovery decision Roll back package and resume Rotate credentials, hunt IOCs, validate persistence removal before closure

Technical Term Definitions

Software supply chain attack
A compromise pattern where attackers manipulate code delivery infrastructure, dependencies, or build workflows so downstream consumers execute malicious artifacts during normal development or deployment processes.
Maintainer credential compromise
Unauthorized access to a package publisher account that enables adversaries to release malicious versions through trusted distribution channels.
Lifecycle install script execution
Automatic code execution triggered by package manager hooks during install, update, or build steps; in this incident, it functioned as an initial-access execution primitive.
Indicator of compromise (IOC)
A forensic artifact such as a hash, domain, IP, path, or command pattern that can be used to detect known malicious activity across endpoints and telemetry systems.
Provenance attestation
Cryptographically or procedurally verifiable metadata linking a published artifact to its build pipeline, source revision, and authorized release identity.
Quarantine dependency mirror
A controlled internal package repository where new dependencies are held for policy checks, malware scanning, and human review before production use.