Mitigating the Axios npm supply chain compromise
Contents
On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly downloads, were identified as malicious. These versions (1.14.1 and 0.30.4) were injected with a malicious dependency to download payloads from known actor command and control (C2). Microsoft Threat Intelligence has attributed this infrastructure and the Axios npm compromise to Sapphire Sleet, a North Korean state actor.
Following successful connection to the malicious C2, a second-stage remote access trojan (RAT) payload was automatically deployed based on the operating system of the compromised device, including macOS, Windows, and Linux. This activity follows the pattern of recent high-profile supply chain attacks, where other adversaries poison widely adopted open-source frameworks and their distribution channels to achieve broad downstream impact.
Users who have installed Axios version 1.14.1 or 0.30.4 should rotate their secrets and …
Following successful connection to the malicious C2, a second-stage remote access trojan (RAT) payload was automatically deployed based on the operating system of the compromised device, including macOS, Windows, and Linux. This activity follows the pattern of recent high-profile supply chain attacks, where other adversaries poison widely adopted open-source frameworks and their distribution channels to achieve broad downstream impact.
Users who have installed Axios version 1.14.1 or 0.30.4 should rotate their secrets and …
IoC
http://sfrclak.com:8000
http://142.11.206.72
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://Sfrclak.com
http://sfrclak.com
142.11.206.72
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://142.11.206.72
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://Sfrclak.com
http://sfrclak.com
142.11.206.72
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a