
On March 31, 2026, one of the most widely used JavaScript libraries in the world was compromised. Axios — the HTTP client library installed in virtually every modern web application, with over 100 million weekly npm downloads — had two malicious versions published to the npm registry. Within a 39-minute window, attackers pushed backdoored code to [email protected] and [email protected] that silently downloaded and executed a cross-platform Remote Access Trojan (RAT) on every developer workstation and CI/CD server that ran npm install.
The attack has been attributed to UNC1069 (also tracked as Sapphire Sleet, BlueNoroff, and STARDUST CHOLLIMA) — a financially motivated North Korean threat actor linked to the Lazarus Group. Google Threat Intelligence Group (GTIG), Microsoft Threat Intelligence, and Elastic Security Labs have all published independent analyses confirming the attribution.
This guide covers what happened, how to check if your systems are affected (with specific commands for Windows, macOS, and Linux), and exactly how to remediate if you find indicators of compromise.
All times are UTC:
| Time (UTC) | Event |
|---|---|
| Mar 30, 05:57 | [email protected] published to npm — a clean decoy package establishing version history |
| Mar 30, 23:59 | [email protected] published — the malicious version containing the RAT dropper |
| Mar 31, 00:21 | [email protected] published (tagged latest) — adds plain-crypto-js as a dependency |
| Mar 31, 01:00 | [email protected] published (tagged legacy) — same malicious dependency |
| Mar 31, ~03:15 | npm unpublishes both compromised axios versions |
| Mar 31, 03:25 | npm places security hold on plain-crypto-js |
| Mar 31, 04:26 | Security stub [email protected] published to block reinstalls |
The malicious versions were live for approximately 3 hours before npm took action. During that window, an estimated 3% of Axios's userbase — potentially tens of thousands of developer workstations and build servers — installed the compromised packages.
The attacker gained access to the npm account of jasonsaayman, a legitimate Axios maintainer. Every legitimate Axios 1.x release is published via GitHub Actions using npm's OIDC Trusted Publisher mechanism — a cryptographic binding between GitHub CI and npm. The malicious [email protected] was published manually using a stolen npm access token with no OIDC binding, and the account email was changed to [email protected].
The compromised Axios versions added a single new dependency: [email protected]. This package was never imported anywhere in Axios source code. Its sole purpose was executing a postinstall script — a 4.2KB obfuscated JavaScript dropper called setup.js that used dual-layer XOR encryption to hide its true behavior.
Within 1.1 seconds of npm install completing, the dropper:
sfrclak[.]com:8000 (IP: 142.11.206.73)setup.js, replaces the malicious package.json with a clean stub reporting version 4.2.0 instead of 4.2.1/Library/Caches/com.apple.act.mond/tmp/6202033codesign --force --deep --sign to bypass Gatekeeper%PROGRAMDATA%\wt.exe (disguised as Windows Terminal)%TEMP%\6202033.ps1, %TEMP%\6202033.vbs-ExecutionPolicy Bypass/tmp/ld.pynohup python3 detached from parent processOnce installed, the RAT — identified by Google as WAVESHAPER.V2 — beacons to the C2 server every 60 seconds using a spoofed IE8/Windows XP User-Agent string. It collects hostname, username, OS version, CPU architecture, boot/install times, and running processes. The RAT accepts four commands:
/Applications, ~/Library, and ~/Application SupportRun these commands on every developer workstation, build server, and CI/CD runner in your organization.
# Check if plain-crypto-js exists in any project
find / -name "plain-crypto-js" -type d 2>/dev/null
# Check npm global packages
npm list -g plain-crypto-js 2>/dev/null
# Check package-lock.json for compromised versions
grep -r '"axios"' --include="package-lock.json" . 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
# Check yarn.lock
grep -E "axios@.*1\.14\.1|axios@.*0\.30\.4" yarn.lock 2>/dev/null
# Check pnpm-lock.yaml
grep -E "axios.*1\.14\.1|axios.*0\.30\.4" pnpm-lock.yaml 2>/dev/null
# Check for the RAT binary
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null
# Check for the dropper temp file
ls -la /tmp/6202033 2>/dev/null
# Check for the RAT process
ps aux | grep -i "com.apple.act.mond" | grep -v grep
# Check for network connections to C2
lsof -i -n | grep -E "142\.11\.206\.73|sfrclak"
# Check for suspicious codesign activity in logs
log show --predicate 'process == "codesign"' --last 72h 2>/dev/null | head -20
# Check for the RAT binary (PowerShell)
Test-Path "$env:PROGRAMDATA\wt.exe"
Get-FileHash "$env:PROGRAMDATA\wt.exe" -ErrorAction SilentlyContinue
# Check for temp dropper files
Test-Path "$env:TEMP\6202033.ps1"
Test-Path "$env:TEMP\6202033.vbs"
# Check for suspicious processes
Get-Process | Where-Object { $_.Path -like "*ProgramData*wt.exe*" }
# Check for network connections to C2
netstat -ano | findstr "142.11.206.73"
netstat -ano | findstr "8000"
# Check recent PowerShell execution bypass events
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} -MaxEvents 50 |
Where-Object { $_.Message -like "*ExecutionPolicy Bypass*" -or $_.Message -like "*6202033*" } |
Select-Object TimeCreated, Message | Format-List
# Check for the Python RAT script
ls -la /tmp/ld.py 2>/dev/null
# Check for the RAT process
ps aux | grep -E "ld\.py|nohup.*python3" | grep -v grep
# Check for network connections to C2
ss -tunapl | grep -E "142\.11\.206\.73|8000"
netstat -tunapl 2>/dev/null | grep -E "142\.11\.206\.73|8000"
# Check for suspicious nohup processes
ps aux | grep nohup | grep -v grep
Search your firewall, DNS, and proxy logs for any connections to:
| IOC Type | Value |
|---|---|
| Domain | sfrclak[.]com |
| IP Address | 142.11.206.73 |
| Port | 8000 |
| Campaign ID | 6202033 |
| User-Agent | IE8/Windows XP (spoofed) |
Any historical connection to these indicators since March 30, 2026 confirms compromise.
If you found ANY indicator of compromise above, treat the affected system as fully compromised. The RAT's capabilities include arbitrary code execution and credential theft — assume the attacker had full access to everything on that machine.
142.11.206.73 and sfrclak[.]com on all ports, both inbound and outbound.sudo kill $(pgrep -f "com.apple.act.mond") and sudo rm /Library/Caches/com.apple.act.mondStop-Process -Name "wt" -Force; Remove-Item "$env:PROGRAMDATA\wt.exe" -Forcekill $(pgrep -f "ld.py"); rm /tmp/ld.pynpm install [email protected] (or [email protected] for legacy)npm cache clean --force
yarn cache clean
pnpm store prune
Every credential accessible from the compromised machine must be rotated. The RAT could have exfiltrated anything:
.env files, CI/CD variables, or shell profilesFor any system confirmed compromised:
peinject command means additional payloads may have been deployed that you haven't discovered. Wipe and rebuild from known-good images.npm install during the attack window, destroy and recreate them. Persistent CI runners (not ephemeral containers) are highest risk.142.11.206.73 and sfrclak[.]com for at least 30 dayspackage.json — use "axios": "1.14.0" not "axios": "^1.14.0". The caret prefix automatically upgrades to new minor/patch versions including compromised ones.package-lock.json, yarn.lock, and pnpm-lock.yaml pin exact versions with integrity hashes. Never delete lockfiles.npm audit in CI/CD — fail builds on critical vulnerabilities.Google Threat Intelligence Group (GTIG) attributed this attack to UNC1069, a financially motivated North Korean threat actor active since at least 2018. Microsoft independently attributed the infrastructure to Sapphire Sleet. This threat actor is also tracked as:
UNC1069 is assessed with high confidence to be associated with BlueNoroff, a financially focused subunit of the broader Lazarus Group. The attribution is based on the use of WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously deployed by this actor in cryptocurrency theft campaigns.
The supply chain attack on Axios follows a pattern of North Korean threat actors targeting developer tools and package registries — the same strategic approach used in the SolarWinds (2020), Kaseya (2021), and 3CX (2023) supply chain compromises.
If your Houston business has developers, web applications, or custom software — you likely have Axios in your dependency tree. It's used by virtually every React, Vue, Angular, and Node.js application. This isn't a niche library targeting a small audience. This is one of the most foundational packages in the JavaScript ecosystem being weaponized by a nation-state actor.
The immediate action items for every business:
[email protected] or [email protected] using the commands aboveLayerLogix provides supply chain security assessment and remediation for Houston businesses. If you need help auditing your development environments, rotating credentials across your organization, or implementing the dependency security controls described above — contact us immediately or call 713-571-2390.
Sources: StepSecurity | Elastic Security Labs | Snyk | Google GTIG | Microsoft Security
Related: The Three Cyberthreats Dominating 2026 | Zero Trust with PAM | Threat Remediation Services | AI Security & Governance
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.