A sophisticated supply chain attack targeting the widely adopted JavaScript library Axios has been detailed, with Microsoft Threat Intelligence analysts attributing the compromise to North Korean state-sponsored actors. The attack, which came to light on March 31, 2026, involved malicious code embedded in two versions of the Axios npm package, 1.14.1 and 0.30.4. These versions silently installed harmful software on developer machines, posing a significant risk to countless projects and organizations globally due to Axios’s immense popularity, with over 70 million weekly downloads.
Microsoft identified the infrastructure behind this operation as linked to Sapphire Sleet, a threat group active since at least March 2020. This group typically focuses on financial targets, including cryptocurrency exchanges and blockchain organizations, aiming to steal digital assets and sensitive financial data. Sapphire Sleet is also known for employing social engineering tactics, often using platforms like LinkedIn to ensnare targets and direct them to malicious files hosted on attacker-controlled cloud services.
Silent Dependency Injection: How the Axios npm Supply Chain Compromise Went Undetected
The attack’s effectiveness stemmed from a clever method of injecting a fake dependency, named [email protected], into the compromised Axios versions. This malicious dependency executed a post-install script that silently communicated with a command-and-control (C2) server. From this server, it downloaded a second-stage remote access trojan (RAT), specifically tailored for the operating system in use—Windows, macOS, or Linux. This approach ensured broad compatibility and reach across diverse development environments.
What made this particular supply chain attack especially insidious was its exploitation of npm’s automatic update functionality. Projects configured to automatically accept minor or patch updates for Axios would inadvertently resolve to the compromised versions during routine installations or updates. This allowed the malicious code execution chain to proceed without any explicit user action or visible warning, effectively turning a convenience feature into a potent delivery mechanism for malware.
Instead of directly altering Axios’s source code, the attacker strategically embedded plain-crypto-js as a new dependency. This dependency was designed to activate only during the installation process. When a developer initiated an npm install command, or when an automated CI/CD pipeline triggered a build, the npm package manager would resolve and install [email protected] discreetly. The package’s lifecycle script then launched setup.js, a first-stage loader that employed multi-layered obfuscation techniques to reconstruct sensitive strings at runtime.
The loader would then establish a connection to the attacker’s server, located at hxxp://sfrclak[.]com:8000/6202033. To evade initial detection, the attacker first published a clean version of plain-crypto-js (4.2.0) to establish a history of legitimate activity before introducing the malicious 4.2.1 update. Upon successful execution, the setup.js script would remove itself and replace the original package manifest with a seemingly clean version, complicating post-incident forensic analysis.
On Windows systems, setup.js dropped a VBScript stager responsible for deploying a PowerShell RAT, which then established persistence by creating a registry run key. For macOS environments, a native binary named com.apple.act.mond was stealthily placed within the Library/Caches folder. Linux systems received a Python payload identified as ld.py, which was written to the /tmp directory and launched to run in the background.
Mitigation and Recommendations
Microsoft Threat Intelligence has provided clear guidance for organizations to address this Axios npm supply chain compromise. It is strongly recommended that all affected Axios deployments be immediately rolled back to either version 1.14.0 or 0.30.3. Furthermore, any secrets or credentials that may have been exposed on compromised systems must be rotated without delay. This is a critical step to prevent further unauthorized access or data exfiltration.
Developers are advised to remove caret (^) and tilde (~) prefixes from their package.json files. These prefixes allow for automatic minor and patch version updates, which was exploited in this attack. By locking Axios to an exact version number, developers can prevent such silent, unintended upgrades and maintain greater control over their project’s dependencies. Running npm cache clean --force is also recommended to clear any cached malicious packages from the local npm cache.
Organizations should meticulously audit their CI/CD logs for any installations of the affected Axios versions. Additionally, it is crucial to check developer machines for the presence of the plain-crypto-js folder within node_modules directories. Blocking outbound network traffic to the identified malicious domain sfrclak[.]com and its associated IP address 142.11.206[.]73 on port 8000 is another essential defensive measure. Automated dependency management tools, such as Dependabot or Renovate, should be configured to restrict any updates to Axios until the threat landscape related to this specific attack has been fully resolved and new, verified secure versions are available.
Looking Ahead
The ongoing investigation into the Sapphire Sleet group’s activities will likely involve monitoring for any attempts to re-exploit vulnerabilities in the software supply chain. Developers and organizations must remain vigilant, prioritizing secure coding practices and robust dependency management strategies to defend against future attacks. The cybersecurity community is expected to continue refining detection mechanisms and sharing intelligence to build a more resilient software development ecosystem against this evolving threat.