North Korea-Linked Actors Compromise Axios Maintainer via Social Engineering, Poison npm Releases with RAT
Attackers hijacked the npm account of Axios maintainer jasonsaayman and published malicious versions axios@1.14.1 and axios@0.30.4, bypassing the project’s normal GitHub Actions/OIDC release workflow. The poisoned releases added plain-crypto-js@4.2.1, a staged dependency whose postinstall logic fetched platform-specific second-stage malware from sfrclak[.]com:8000 and deployed a remote access trojan on Windows, macOS, and Linux. Researchers said the malware used anti-forensic cleanup by deleting installer artifacts and restoring a clean-looking package.json, while Windows samples also established persistence through a Run key. npm removed the malicious packages after roughly three hours, but Axios’s massive downstream use created broad exposure across developer endpoints, CI/CD pipelines, and transitive dependencies.
Multiple vendors and the Axios maintainers urged organizations to treat any system that installed the affected versions as fully compromised, downgrade to axios@1.14.0 or axios@0.30.3, remove plain-crypto-js, block sfrclak[.]com and 142.11.206[.]73, and rotate all accessible secrets and credentials. Subsequent reporting said the maintainer was compromised through a targeted social-engineering campaign involving fake business outreach and session theft, and several firms, including Google and Microsoft, linked the operation to North Korea-aligned activity tracked as UNC1069 or Sapphire Sleet, though some attribution details remain contested across vendors.
Timeline
May 8, 2026
OpenAI sets May 8 block date for apps signed with revoked macOS certificate
OpenAI said older macOS app versions signed with the previously exposed certificate will lose support and be blocked by default starting May 8, 2026, as it coordinates with Apple to prevent new notarizations using the old certificate. The measure follows OpenAI's earlier revocation and rotation of the certificate after its signing workflow executed the malicious Axios package.
Apr 11, 2026
OpenAI discloses downstream impact to macOS build workflow
OpenAI said its GitHub Actions workflow automatically pulled the malicious Axios package, exposing macOS code-signing and notarization materials used for ChatGPT Desktop, Codex, Atlas, and Codex CLI. The company revoked and rotated affected certificates, remediated the workflow issue, and urged macOS users to update.
Apr 3, 2026
Additional vendors tie the operation to DPRK-linked clusters
Subsequent reporting from CrowdStrike, Hunt.io, Sophos, and others linked the malware and infrastructure to DPRK-associated clusters such as STARDUST CHOLLIMA, TA444/BlueNoroff, and NICKEL GLADSTONE. These reports expanded the attribution debate while reinforcing a North Korea nexus.
Apr 3, 2026
Broader campaign against high-impact Node.js maintainers comes to light
Reporting on April 3 indicated other prominent Node.js and npm maintainers had been targeted with similar LinkedIn, Slack, and fake meeting lures. This reframed the Axios incident as part of a wider credential-theft and maintainer-compromise campaign.
Apr 2, 2026
Axios publishes post-mortem and remediation guidance
Axios disclosed that the malicious versions were 1.14.1 and 0.30.4, confirmed the maintainer compromise, and advised users to downgrade, remove plain-crypto-js, rotate secrets, and review logs for connections to the attacker infrastructure. The project also said it would strengthen release controls, including immutable releases and trusted publishing.
Apr 2, 2026
Axios maintainer confirms social engineering caused the account takeover
Jason Saayman later stated the compromise began with a targeted social-engineering campaign impersonating a legitimate company, leading to malware on his machine and theft of active browser sessions or credentials. He said he wiped devices, reset credentials, and began adopting stronger protections such as hardware security keys.
Apr 1, 2026
Microsoft links the campaign to Sapphire Sleet
Microsoft Threat Intelligence separately attributed the compromise and related infrastructure to Sapphire Sleet, another North Korea-linked actor designation. Microsoft also said the account used to create plain-crypto-js was associated with Sapphire Sleet infrastructure and had been disabled.
Apr 1, 2026
Google attributes the Axios compromise to UNC1069
Google Threat Intelligence Group attributed the operation to UNC1069, a financially motivated North Korea-linked threat actor, citing infrastructure overlap and use of WAVESHAPER.V2. This was a major attribution update that shifted the incident from an unknown actor to a named DPRK-linked cluster.
Mar 31, 2026
Researchers publish technical analysis and IOCs for the compromise
On March 31, multiple security firms publicly documented the attack chain, including the compromised versions, C2 infrastructure, malware behavior, and remediation guidance. Published details included hashes, filesystem artifacts, and network indicators tied to sfrclak[.]com and 142.11.206[.]73.
Mar 31, 2026
npm removes malicious Axios versions and security-holds plain-crypto-js
The malicious Axios releases were removed from npm after roughly three hours of exposure, and npm replaced plain-crypto-js with a security placeholder package to prevent further installs. Reports estimate the malicious packages were available for about 169 to 174 minutes.
Mar 31, 2026
Elastic files GitHub Security Advisory for coordinated disclosure
Elastic said it filed a GitHub Security Advisory to the Axios repository on March 31, 2026, to coordinate disclosure with maintainers and npm. This marked a formal incident-response step as the compromise was being investigated.
Mar 31, 2026
Early infections observed shortly after package publication
Huntress reported infections beginning 89 seconds after publication, and Sophos observed related telemetry around 00:45 UTC with broader impact by 01:00 UTC. These observations confirmed active exploitation during the short exposure window.
Mar 31, 2026
Socket flags plain-crypto-js@4.2.1 as malicious within minutes
Socket reported automatically identifying plain-crypto-js@4.2.1 as malicious within minutes of publication on March 31, 2026. This was one of the earliest public detections of the poisoned dependency chain.
Mar 31, 2026
Malicious plain-crypto-js dependency deploys cross-platform RAT
The injected dependency executed a postinstall script that downloaded and launched platform-specific malware for Windows, macOS, and Linux from sfrclak[.]com:8000, then attempted anti-forensic cleanup. Researchers described the payload family as a cross-platform RAT framework, including WAVESHAPER.V2 or related variants depending on vendor naming.
Mar 31, 2026
Compromised maintainer account publishes malicious Axios releases
Using stolen access to Axios maintainer jasonsaayman's npm account, the attacker published axios@1.14.1 and axios@0.30.4 directly to npm, bypassing the normal GitHub Actions/OIDC release workflow. The releases added plain-crypto-js@4.2.1 as a hidden dependency.
Mar 30, 2026
Elastic detects the Axios supply-chain campaign
Elastic Security Labs reported detecting the campaign on March 30, 2026, before broader public disclosure. The detection led to later coordinated disclosure efforts with the Axios project and npm.
Mar 30, 2026
Attacker stages benign plain-crypto-js package and C2 infrastructure
Before the Axios compromise, the attacker registered the sfrclak[.]com infrastructure and published a benign plain-crypto-js@4.2.0 package to prepare the dependency chain. Multiple reports say this staging occurred roughly 18 hours before the malicious Axios releases.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
5 more from sources like scworld, the hacker news, osint team blog, cyber security news and tech-insider.org
Related Stories
Critical Axios Flaw Enables Request Smuggling, IMDSv2 Bypass, and Cloud Compromise
A critical vulnerability in the Axios HTTP client library, tracked as **`CVE-2026-40175`**, allows attackers to turn polluted JavaScript object properties into malicious HTTP headers and abuse outbound requests for **SSRF**, **request smuggling**, and potential **remote code execution**. Researchers said the flaw stems from improper header handling in Axios’s HTTP adapter and unsafe config merging, which can let `Object.prototype` values containing CRLF characters be injected into requests. The issue can be chained with prototype pollution in other npm packages to target internal services, including the AWS EC2 metadata endpoint at `169.254.169.254`, potentially bypassing **IMDSv2** and exposing cloud credentials or broader infrastructure. A public proof-of-concept was released alongside disclosure, raising urgency for defenders even though active exploitation had not been confirmed at the time of reporting. The flaw affects Axios versions before **`1.13.2`**, while maintainers said **`1.15.0`** introduces strict header validation that blocks CRLF-based header injection; organizations were urged to upgrade and audit dependencies such as **`body-parser`**, **`qs`**, and **`minimist`** for prototype pollution paths. One report cited internet-wide estimates of more than **48,000** potentially exposed instances, underscoring the risk of unauthorized internal access and possible full cloud compromise.
2 weeks ago
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
1 months ago
Malicious npm Packages Stealing Developer Credentials Across Platforms
Security researchers have uncovered multiple campaigns involving malicious npm packages designed to steal developer credentials and sensitive information from Windows, macOS, and Linux systems. In one operation, ten typosquatted packages impersonated popular libraries such as TypeScript, discord.js, ethers.js, and others, using sophisticated obfuscation, fake CAPTCHA prompts, and postinstall hooks to deploy an information stealer that harvested credentials from system keyrings, browsers, and authentication services. The malware executed in a new terminal window to evade detection and sent stolen data, including IP addresses, to external servers. Another large-scale campaign, dubbed 'PhantomRaven,' involved 126 npm packages and over 86,000 downloads, targeting authentication tokens, CI/CD secrets, and GitHub credentials. These packages leveraged remote dynamic dependencies to fetch and execute payloads during installation, profiling infected devices and exfiltrating secrets for potential supply chain attacks. The attackers employed techniques such as slopsquatting, where AI-generated package recommendations led developers to install non-existent, malicious packages. Some packages impersonated tools from GitLab and Apache, and many remained available on npm at the time of reporting. The campaigns highlight the ongoing risks in the npm ecosystem, with attackers exploiting both user trust and platform weaknesses to compromise developer environments and CI/CD pipelines. Security experts warn that the theft of tokens and credentials could enable further attacks, including the introduction of malicious code into legitimate projects and broader supply chain compromises.
1 months ago