Axios npm Supply Chain Compromise (2026-03-31) — Full RE + Dynamic Analysis + BlueNoroff Attribution-lazarusholic

Axios npm Supply Chain Compromise (2026-03-31) — Full RE + Dynamic Analysis + BlueNoroff Attribution

2026-03-31, N3mes1s
https://gist.github.com/N3mes1s/0c0fc7a0c23cdb5e1c8f66b208053ed6
#Axios #BlueNoroff #NPM

You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Axios npm Supply Chain Compromise — Full Analysis Package
Date: 2026-03-31 | Attribution: BlueNoroff / Lazarus Group (HIGH confidence)
Attack: Maintainer account hijacked, cross-platform RAT deployed via [email protected] and [email protected]
What happened
On March 30-31, 2026, the npm package axios (~83M weekly downloads) was compromised through a maintainer account hijack. Two malicious versions injected [email protected], an obfuscated dropper that deploys platform-specific RATs (Windows PowerShell, macOS Mach-O C++, Linux Python). The macOS RAT is classified as NukeSped (Lazarus-exclusive). The internal project name macWebT links directly to BlueNoroff's documented RustBucket webT module from 2023.
Complete reverse engineering of all 5 payloads (full source recovered). radare2 disassembly of macOS Mach-O. setup.js deobfuscation. Memory dump analysis. Live dynamic analysis on Daytona Windows …

IoC

lazarusholic

Everyday is lazarus.day^β

Axios npm Supply Chain Compromise (2026-03-31) — Full RE + Dynamic Analysis + BlueNoroff Attribution

Contents

IoC