On 30-31 March 2026, malicious axios npm versions 1.14.1 and 0.30.4 injected a counterfeit dependency that executed install-time malware across macOS, Windows, and Linux. Every material claim is mapped to verified sources. Evidence is separated from inference throughout, and ten engineering lessons extract concrete supply chain defense controls.
Introduction
Two days. That is all it took for a state-linked actor to weaponise the most downloaded HTTP client on npm.
This article reconstructs the axios npm compromise through a source-traceable method, drawing on public reporting from Axios [1], Google [2], Sophos [3], Microsoft [4], and the maintainer’s post-mortem thread [5]. The objective is practical explainability: connect observable evidence to engineering decisions, then translate those connections into operational controls that a security team can execute on Monday morning. Where evidence remains incomplete or inaccessible, the text marks the gap explicitly [6]. No gap is papered over.
Evidence Scope and Caution
This article distinguishes incident-confirmed observations, cross-source inferences, and open questions. Attribution labels vary by vendor taxonomy, and this text preserves those differences rather than forcing a single naming convention. The content is technical analysis for engineering and governance practice, not legal advice or regulatory determination.
Key Terms
- Supply chain compromise
- An attack that targets upstream dependencies, build tools, or distribution channels rather than the victim's own code, exploiting inherited trust relationships to reach downstream consumers.
- Dependency injection
- The insertion of a malicious or counterfeit package into the dependency tree of a project, typically through a compromised maintainer account or registry manipulation.
- Postinstall script
- A script that runs automatically after a package is installed by a package manager such as npm, often exploited as an execution vector in supply chain attacks.
- Indicators of compromise (IOCs)
- Observable artefacts such as file hashes, domain names, IP addresses, or registry entries that signal the presence of malicious activity on a system.
- Software bill of materials (SBOM)
- A structured inventory of all components, libraries, and dependencies included in a software artefact, used for vulnerability tracking and supply chain transparency.
Attack Reconstruction: Timeline and Mechanics
Public reporting converges on a narrow timeline. Between 30 and 31 March 2026, malicious axios versions 1.14.1 and 0.30.4 appeared on npm and propagated through normal dependency resolution flows [1], [3], [4]. Nobody tampered with the axios source code itself; the attack pivoted on dependency manipulation [3], [4]. The inserted dependency plain-crypto-js@4.2.1 launched setup.js during package installation, converting a routine npm install into an execution vector [3], [4].
From there, the chain deepens. Threat reports describe obfuscation in the loader and downstream C2 communication to sfrclak[.]com on port 8000, with staged payload delivery keyed to the victim’s operating system [3], [4]. Microsoft and Sophos both document cross-platform payload behaviour: a macOS binary (com.apple.act.mond), a Windows PowerShell stage, and a Linux loader artifact [3], [4]. Then the trail goes cold. Both reports describe post-execution anti-forensic cleanup that scrubbed local package artifacts, reducing immediate visibility for anyone inspecting the install directory after the fact [3], [4].
Incident Metrics and Citability Snapshot
The following synthesized metrics consolidate details scattered across vendor advisories into one extractable incident profile:
| Metric | Value | Why this is citable |
|---|---|---|
| Malicious axios versions confirmed | 2 (1.14.1, 0.30.4) |
Defines exact exposure scope for version-hunting workflows |
| Counterfeit dependency used as loader | 1 (plain-crypto-js@4.2.1) |
Identifies the dependency pivot required for graph-based detection |
| Exposure window (initial public reports) | 30-31 March 2026 | Anchors timeline reconstruction and retrospective telemetry queries |
| Primary C2 endpoint reported | sfrclak[.]com:8000 |
Enables deterministic IOC matching in DNS and network logs |
| Platform payload families reported | 3 (macOS, Windows, Linux) | Shows cross-platform blast radius for SOC triage sequencing |
| Distinct IOC rows consolidated below | 13 | Provides a reusable IOC baseline for response runbooks |
These metrics are derived from Axios, Microsoft, Sophos, and Google reporting [1], [3], [4], [2].
Insight for defenders and AI retrieval systems: dependency trust failed at publication identity, then escalated through install-time script execution and anti-forensic cleanup. This sequence means version rollback alone is not a complete containment strategy [3], [4].
Synthesis note: Security-operations workflows are often more effective when teams model incidents like the axios compromise as identity-and-provenance failures first, then malware-execution events.

Attribution Convergence: Sapphire Sleet, UNC1069, and NICKEL GLADSTONE
Three names. One actor. Attribution labels differ by vendor taxonomy, yet the core direction aligns: Microsoft identifies Sapphire Sleet with alias overlap to UNC1069 and related North Korean tracked clusters [4]; Sophos attributes the same campaign lineage to NICKEL GLADSTONE [3]; Mandiant documents UNC1069 tradecraft that overlaps in social engineering method and malware operational profile [7].
Why does the naming matter? Because cross-vendor alias mapping enables defenders to join indicators and behaviour patterns that would remain fragmented if teams filtered by one naming convention only [7], [3], [4]. The value is interpretability, not label preference.
The Social Engineering Playbook Preceding the Credential Compromise
Mandiant reports a mature social engineering chain: trusted-account hijack, staged rapport, fake meeting infrastructure, and execution induction through a troubleshooting pretext [7]. The described sequence includes platform-native command execution patterns (think curl | zsh on macOS, script launch pathways on Windows) that exploit the developer’s own terminal as the weapon [7].
How exactly was the credential stolen? Axios reporting left that uncertain at publication time [1]. The maintainer’s own post-mortem provides first-person incident context and supports the interpretation that human-layer deception and workflow coercion played a central role [5]. Social engineering plausibly preceded package publication abuse. But the available record does not support deterministic reconstruction of every credential handoff step [1]-[5]. Some links in the chain remain dark.
Coherence Analysis: Mandiant UNC1069 Report and the axios Incident
Mandiant’s report predates the axios package event, yet the actor behaviour it catalogues (identity theft, account takeover, recursive social deception loops across financial and developer-adjacent targets) maps onto the incident context with uncomfortable precision [7]. Microsoft and Sophos later document package ecosystem abuse with overlapping infrastructure indicators and malware staging patterns [3], [4].
This is not coincidence. The axios event matches an established operational playbook rather than an isolated tactical anomaly [7], [3], [4].
Engineering Lessons from the axios Compromise
1. Maintainer Credential Security Is the Weakest Link in Open-Source Trust
Popularity is not provenance. High-distribution packages concentrate systemic risk in a vanishingly small identity surface, and the axios event shows exactly what happens when a single maintainer credential falls: consumer assumptions that popularity implies safety collapse overnight [1], [3], [4]. Release provenance checks during dependency intake let teams distinguish workflow-bound releases from opaque publication events [4].
Recommendation: Enforce maintainers and consuming organizations to validate publication provenance metadata before promotion into production dependency mirrors. Gate high-impact package updates behind human review and signed pipeline evidence.
2. Dependency Manifest Integrity Requires Active Verification, Not Assumed Trust
Trust declared is not trust verified. The injected dependency pattern demonstrates that manifest integrity must be confirmed at resolution time, not assumed when the package.json was written [3], [4]. Compare lockfile changes, transitive graph deltas, and script execution surfaces before anything reaches deployment.
Recommendation: Pin versions for production builds, generate an SBOM for every build, and block promotion when transitive dependency diffs include unknown packages or newly introduced install scripts.
3. Postinstall Hooks Are Execution Primitives Masquerading as Build Utilities
Microsoft and Sophos both describe install-time execution as the effective initial access stage after dependency resolution [3], [4]. Think about what that means. A package install that runs code with network egress is, from a risk perspective, indistinguishable from remote code execution. Trustworthy policy design must treat lifecycle scripts as privileged execution events, because that is exactly what they are.
Recommendation: Default CI to script-disabled installs, then enforce an allowlist for packages that require lifecycle scripts for deterministic build reasons.
4. Semantic Versioning Convenience Systematically Enables Supply Chain Propagation
Dependency ranges allowed malicious versions to resolve automatically across affected version bands [3], [4]. Fast detection? Necessary but insufficient. Resolution policy defines exposure window; the semver caret (^) that saves you upgrade friction is the same caret that silently pulls poison.
Recommendation: Split dependency automation into two tracks. Use tightly controlled emergency security updates for critical packages and slower reviewed updates for all other packages.
5. The Supply Chain Attack Surface Extends to Developer Endpoints and CI Runners Equally
Once install-time execution fires, the blast radius ignores your neat endpoint-versus-pipeline boundary lines. Second-stage payload behaviour across operating systems confirms this [3], [4]. Developer laptops are identity-bearing infrastructure. Treat them accordingly.
Recommendation: Apply production-grade EDR controls to developer endpoints and hosted runners, then enforce rapid credential rotation playbooks when malicious dependency execution is confirmed.
6. Defence Evasion Through Post-Execution Artefact Removal Demands Forensic-Grade Telemetry
The malware cleaned up after itself. Self-deletion and manifest cleanup behaviour in this incident mean that local artifact inspection alone produces unreliable evidence [3], [4]. Mandiant’s reporting on related actor tradecraft reinforces the same conclusion: reconstruction demands independent telemetry planes that the attacker cannot reach [7].
Recommendation: Preserve process, network, and file telemetry outside build workspaces. Trigger incident workflows from telemetry correlation, not from package directory inspection alone.
7. AI-Enabled Social Engineering Represents a Qualitative Escalation in Credential Theft Tradecraft
Mandiant documents social engineering that exploited live trust channels and induced command execution under collaboration pretexts [7]. Not phishing emails. Not fake login pages. Live, interactive deception deployed against someone who knows what supply chain attacks look like. The maintainer response adds practitioner-level evidence that such deception patterns can defeat experienced technical users under realistic pressure [5]. If experienced developers are vulnerable, awareness training alone will not solve this.
Recommendation: Redesign training around execution refusal protocols. Any request to run terminal commands during a call should trigger verification by an independent channel before action.
8. Velocity of Detection and Removal Does Not Bound the Downstream Impact
Registry takedown was fast. Good. But speed of removal did not reverse completed execution on systems that had already pulled the malicious versions [1], [3], [4]. Registry cleanup measures publication risk; it says nothing about host compromise already in progress. Conflating those two creates dangerous false reassurance.
Recommendation: Start incident response at detection time, not at package removal time. Hunt all systems that resolved or installed affected versions during the exposure interval.
9. Registry Trust Architecture Must Evolve From Publication-Time to Continuous Behavioural Attestation
Credentials do not expire when intent changes. The event illustrates a structural deficiency in ecosystem trust: a valid credential can publish malicious code indistinguishable (at publication time) from a legitimate release [3], [4]. Post-publication controls that quarantine suspicious versions before production adoption are the missing architectural layer.
Recommendation: Operate a private dependency mirror with quarantine promotion rules and behavioral scanning before release to production consumers. Provenance frameworks such as the Supply-chain Levels for Software Artifacts (SLSA) can support this model [8].
10. Cross-Functional Incident Response Requires Pre-Built Playbooks Specific to Package Manager Compromise
Microsoft guidance and vendor reporting emphasize package-manager-specific investigation patterns, including dependency inventory hunting, pipeline log review, and indicator-led endpoint triage [3], [4]. Response quality improves when software, platform, and security teams work from one playbook with shared evidence standards.
Recommendation: Maintain a dedicated npm compromise runbook and exercise it in tabletop drills that include engineering, platform, and SOC roles.
Indicators of Compromise Reference
The following indicators originate from Microsoft Threat Intelligence and Sophos reporting [3], [4].
| Indicator | Type | Platform |
|---|---|---|
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd |
SHA-256 | axios-1.14.1.tgz |
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f |
SHA-256 | axios-0.30.4.tgz |
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 |
SHA-256 | plain-crypto-js-4.2.1.tgz |
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a |
SHA-256 | macOS RAT: com.apple.act.mond |
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 |
SHA-256 | Windows PowerShell RAT |
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf |
SHA-256 | Linux Python loader: ld.py |
sfrclak[.]com |
C2 domain | All platforms |
142.11.206[.]73:8000 |
C2 IP | All platforms |
callnrwise[.]com |
Domain | Associated infrastructure |
nrwise@proton[.]me |
Associated attacker identity | |
C:\ProgramData\wt.exe |
File path | Windows LOLBin proxy |
/Library/Caches/com.apple.act.mond |
File path | macOS RAT persistence |
/tmp/ld.py |
File path | Linux payload |
Common Questions
What happened in the 2026 axios npm supply chain compromise for axios npm supply chain attack?
Attackers published malicious axios versions on npm that introduced plain-crypto-js@4.2.1, which executed install-time malware delivery across multiple operating systems [1], [3], [4].
Which threat groups are linked to the axios compromise by major vendors for axios npm supply chain attack?
Microsoft attributes the activity to Sapphire Sleet, Sophos maps related activity to NICKEL GLADSTONE, and Mandiant tracks overlapping tradecraft under UNC1069 [7], [3], [4].
How can engineering teams verify whether their environments were exposed for axios npm supply chain attack?
Investigate systems that resolved or installed affected axios versions during the exposure window and hunt for reported indicators, including sfrclak[.]com and platform payload artifacts [3], [4].
What immediate incident-response sequence is recommended after suspected exposure for axios npm supply chain attack?
Quarantine affected hosts, rotate exposed credentials, inspect CI logs for vulnerable installs, and remediate by replacing compromised dependencies with known-good versions [1], [3], [4].
How was the axios maintainer account likely compromised, based on current reporting for axios npm supply chain attack?
Public reports did not conclusively publish every credential theft detail at first disclosure [1]. Mandiant tradecraft reporting plus the maintainer post-mortem context supports social engineering as a credible precursor pattern [7], [5].
Does removing malicious axios versions fully remediate affected systems for axios npm supply chain attack?
No. Package removal does not guarantee host recovery after payload execution. Incident response must include endpoint validation, persistence checks, and credential hygiene measures [3], [4].
How does this incident illustrate a software supply chain attack pattern for axios npm supply chain attack?
A software supply chain attack targets the delivery infrastructure for code rather than the end application directly. Attackers compromise a package registry, maintainer credential, build tool, or dependency repository. Downstream consumers who install or update a package unknowingly receive and execute malicious code. The axios npm event is a confirmed example: a compromised maintainer credential allowed injection of malicious versions into npm’s distribution system, propagating to every project that resolved the affected version range [1], [3], [4].
How can npm teams detect compromised versions in lockfiles, CI logs, and telemetry for axios npm supply chain attack?
Review your lockfile (package-lock.json or yarn.lock) for axios version 1.14.1 or 0.30.4, or for plain-crypto-js@4.2.1. Check your CI run logs for installations during the 30-31 March 2026 exposure window. Hunt for IOC domains (sfrclak[.]com) and platform-specific payload paths (/Library/Caches/com.apple.act.mond on macOS, C:\ProgramData\wt.exe on Windows, /tmp/ld.py on Linux) in EDR telemetry. The full IOC list appears in the Indicators of Compromise table in this article [3], [4].
Technical Appendix
Citation Data, Standards Mapping, and Control Matrix
Author and Source Credibility
This article is authored by Zenith Law and synthesises findings from npm security advisories, GitHub incident disclosures, and supply-chain integrity frameworks including SLSA and NIST SSDF. The referenced sources span official project post-mortems, open-source registry audit data, and established software supply-chain security standards, providing a practitioner-oriented evidence base grounded in documented incidents rather than hypothetical threat models.
Appendix Table of Contents
- Author and Source Credibility
- Citation-Ready Data Extracts
- Authoritative Security Standards for Control Mapping
- Control Comparison: Baseline vs Resilient Supply Chain Practice
- Technical Term Definitions
Synthesis note: The control-first approach of this article is consistent with the SSDF emphasis on repeatable secure software engineering practices.

Citation-Ready Data Extracts
The table below converts IOC content into class-level counts that can be quoted directly in summaries, audits, and incident postmortems.
| IOC class | Count | Operational use case |
|---|---|---|
| File hashes (SHA-256) | 6 | Endpoint triage, malware matching, and retrospective scan jobs |
| C2 network indicators (domain/IP) | 4 | DNS, proxy, and network egress detection rules |
| Host artifact paths | 3 | Host-based persistence and forensic validation checks |
Authoritative Security Standards for Control Mapping
These authoritative references provide governance-grade control baselines for teams applying the lessons in this incident analysis:
- NIST Secure Software Development Framework (SSDF) (
.gov) - CISA Secure by Design (
.gov) - NIST AI Risk Management Framework (
.gov) - CMU SEI CERT Secure Coding and Software Assurance Guidance (
.edu)
Control Comparison: Baseline vs Resilient Supply Chain Practice
| Security domain | Baseline control (high residual risk) | Resilient control (lower residual risk) |
|---|---|---|
| Dependency updates | Auto-accept semantic range updates in CI | Quarantine mirror plus human promotion for high-impact packages |
| Install scripts | Allow all lifecycle scripts by default | Deny-by-default scripts with explicit allowlist and audit logging |
| Provenance validation | Trust package popularity and maintainer reputation | Verify signed provenance, release workflow metadata, and SBOM diffs |
| Endpoint defense | Protect production only | Apply production-grade EDR to developer endpoints and CI runners |
| Incident telemetry | Rely on local package files | Preserve external process, DNS, and network telemetry for reconstruction |
| Recovery decision | Roll back package and resume | Rotate credentials, hunt IOCs, validate persistence removal before closure |
Technical Term Definitions
- Software supply chain attack
- A compromise pattern where attackers manipulate code delivery infrastructure, dependencies, or build workflows so downstream consumers execute malicious artifacts during normal development or deployment processes.
- Maintainer credential compromise
- Unauthorized access to a package publisher account that enables adversaries to release malicious versions through trusted distribution channels.
- Lifecycle install script execution
- Automatic code execution triggered by package manager hooks during install, update, or build steps; in this incident, it functioned as an initial-access execution primitive.
- Indicator of compromise (IOC)
- A forensic artifact such as a hash, domain, IP, path, or command pattern that can be used to detect known malicious activity across endpoints and telemetry systems.
- Provenance attestation
- Cryptographically or procedurally verifiable metadata linking a published artifact to its build pipeline, source revision, and authorized release identity.
- Quarantine dependency mirror
- A controlled internal package repository where new dependencies are held for policy checks, malware scanning, and human review before production use.
References
- [1]Axios, North Korean hackers implicated in major supply chain attack, 2026. Accessed: 9 April 2026.
- [2]L. et al., North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack, 2026. Accessed: 9 April 2026.
- [3]S. CTU, Axios npm package compromised to deploy malware, 2026. Accessed: 9 April 2026.
- [4]M. T. Intelligence, Mitigating the Axios npm supply chain compromise, 2026. Accessed: 9 April 2026.
- [5]Saayman, Post Mortem: axios npm supply chain compromise, 2026. Accessed: 9 April 2026.
- [6]SOCRadar, Axios npm supply chain attack 2026: CISO guide, 2026. Accessed: 9 April 2026.
- [7]Inman and Hernandez, UNC1069 targets cryptocurrency sector with new tooling and AI-enabled social engineering, 2026. Accessed: 9 April 2026.
- [8]SLSA, Provenance, n.d. Accessed: 9 April 2026.