Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack
Contents
Axios npm Backdoored: UNC1069 Deploys Cross-Platform RAT via Supply Chain Attack
| Group | UNC1069 (North Korea-nexus, BlueNoroff-linked, financially motivated threat actor) |
| Type | npm Supply Chain Compromise / Cross-Platform Remote Access Trojan |
| Malware | SILKBELL: postinstall dropper embedded in [email protected]. WAVESHAPER.V2: updated cross-platform RAT linked to prior BlueNoroff RustBucket campaigns |
| Score | 🔴 9.5 Critical. Nation-state supply chain attack on one of npm's most downloaded packages, deploying a cross-platform RAT against any developer or CI/CD pipeline that ran npm install during the exposure window. |
| Observed | March 2026, StepSecurity, Google Threat Intelligence Group, Elastic Security Labs, Huntress |
Overview
Between 00:21 and 03:20 UTC on 31 March 2026, two malicious versions of the axios npm package were published to the npm registry. Axios is the most widely used JavaScript HTTP client, with over 100 million weekly downloads. The threat actor behind the attack had compromised the npm account …
| Group | UNC1069 (North Korea-nexus, BlueNoroff-linked, financially motivated threat actor) |
| Type | npm Supply Chain Compromise / Cross-Platform Remote Access Trojan |
| Malware | SILKBELL: postinstall dropper embedded in [email protected]. WAVESHAPER.V2: updated cross-platform RAT linked to prior BlueNoroff RustBucket campaigns |
| Score | 🔴 9.5 Critical. Nation-state supply chain attack on one of npm's most downloaded packages, deploying a cross-platform RAT against any developer or CI/CD pipeline that ran npm install during the exposure window. |
| Observed | March 2026, StepSecurity, Google Threat Intelligence Group, Elastic Security Labs, Huntress |
Overview
Between 00:21 and 03:20 UTC on 31 March 2026, two malicious versions of the axios npm package were published to the npm registry. Axios is the most widely used JavaScript HTTP client, with over 100 million weekly downloads. The threat actor behind the attack had compromised the npm account …
IoC
http://callnrwise.com
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://sfrclak.com
http://proton.me
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
2553649f2322049666871cea80a5d0d6adc700ca
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://sfrclak.com
http://proton.me
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
2553649f2322049666871cea80a5d0d6adc700ca
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09