On March 31, 2026, the developer community faced a serious security incident involving Axios, one of the most widely used HTTP clients in JavaScript. Two newly published versions—1.14.1 and 0.30.4—were found to be malicious. These versions quietly introduced harmful code through a dependency, allowing attackers to deliver malware from a remote command-and-control (C2) server.
This attack has been linked to a North Korean threat group known as Sapphire Sleet, according to Microsoft Threat Intelligence. The scale of the risk is significant because Axios is used in millions of projects and receives over 70 million downloads every week.
What Actually Happened
Instead of directly modifying Axios’s core code, the attackers took a more subtle approach. They inserted a malicious dependency called [email protected]. This dependency didn’t affect how Axios works during runtime, which made the attack harder to detect.
The real damage happened during installation.
When developers ran npm install or updated dependencies, this injected package triggered a hidden script (setup.js). That script automatically connected to a remote server:
hxxp://sfrclak[.]com:8000/6202033
From there, it downloaded a second-stage payload—a remote access trojan (RAT)—tailored to the victim’s operating system.
Why This Attack Is Dangerous
This wasn’t just a simple malware drop. It was a classic supply chain attack, designed to spread through trusted software. Because many projects allow automatic updates using version ranges like ^1.14.0, thousands of systems unknowingly installed the compromised versions.
Even worse, the malicious code executed silently during installation. Developers wouldn’t see any warning, and their applications would continue working normally.
How the Malware Behaves
Once the malicious dependency runs, it identifies the operating system and sends a request to the attacker’s server using specific POST values:
- macOS:
packages.npm.org/product0 - Windows:
packages.npm.org/product1 - Linux:
packages.npm.org/product2
The same endpoint is used for all systems:
hxxp://sfrclak[.]com:8000/6202033
IP: 142.11.206[.]73
From there, different payloads are delivered.
macOS
On macOS, the malware installs a binary: /Library/Caches/com.apple.act.mond
SHA-256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
It uses AppleScript to download and execute the file silently in the background.
Windows
Windows systems receive a PowerShell-based RAT: 6202033.ps1
SHA-256: ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
SHA-256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
The attack chain creates persistence by adding a registry key:
HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate
It also drops: %PROGRAMDATA%\wt.exe
SHA-256: f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
This ensures the malware runs again after every reboot.
Linux
Linux systems receive a Python-based payload: /tmp/ld.py
SHA-256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
It runs in the background using nohup, making it less visible to users.
Stealth and Evasion Techniques
One of the most concerning aspects of this attack is how clean it looks after execution. The installer removes traces of itself, including:
- Deleting
setup.js - Replacing
package.jsonwith a clean version
This makes post-incident investigation much harder because the malicious trigger disappears.
What the RAT Can Do
Once installed, the RAT gives attackers deep control over the system. It can:
- Collect system information (OS, hardware, processes)
- Execute remote commands
- Browse files and directories
- Load additional payloads directly into memory
- Maintain persistent communication with the C2 server
To avoid detection, it uses encoded HTTP requests and minimizes files written to disk.
What You Should Do Immediately
If you’ve used Axios recently, especially with auto-updates enabled, take action right away:
- Downgrade to safe versions: 1.14.0 or 0.30.3
- Rotate all credentials and API keys
- Clear npm cache: npm cache clean –force
- Search for suspicious files like:
plain-crypto-js[email protected][email protected]
- Check network logs for: sfrclak[.]com
142.11.206[.]73:8000 - Disable automatic dependency updates
- Use exact version pinning instead of
^or~
For stronger protection, consider disabling install scripts:
npm config set ignore-scripts true
Who Is Behind This
Sapphire Sleet is a North Korean state-backed group active since at least 2020. They are known for targeting financial systems, especially cryptocurrency platforms. Their main goal is financial gain through theft of digital assets and sensitive data.
| Indicator | Type | Description |
Sfrclak[.]com | C2 domain | Resolves to 142.11.206[.]73. Registrar: NameCheap, Inc |
142.11.206[.]73 | C2 IP | Sapphire Sleet C2 IP. Port 8000, HTTP |
hxxp://sfrclak[.]com:8000/6202033 | C2 URL | Static path across all variants |
%TEMP%\6202033.vbs | Windows VBScript dropper | Created by node setup.js |
%TEMP%\6202033.ps1 | Windows PowerShell payload | Downloaded from C2, self-deleting SHA-256: ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c SHA-256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 |
%PROGRAMDATA%\system.bat | File created by PowerShell | SHA-256: f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd |
C:\ProgramData\wt.exe | Windows LOLBin | Windows Terminal copy, used as PowerShell proxy |
/Library/Caches/com.apple.act.mond | macOS binary | SHA-256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a |
/tmp/ld.py | Linux loader | SHA-256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf |
packages.npm.org/product1 | npm identifier (Windows) | Sent as POST body to C2 |
packages.npm.org/product0 | npm identifier (macOS) | Sent as POST body to C2 |
Our Opinion on This Incident
This attack highlights a growing problem in modern software development: over-reliance on trust in open-source ecosystems. Developers often assume that widely used libraries are safe, but this incident proves that even the most popular tools can become attack vectors overnight.
What makes this case especially concerning is how subtle the attack was. Instead of breaking functionality or raising alarms, it quietly used the installation process itself as the entry point. That means traditional testing and runtime monitoring would not easily catch it.
In our view, the biggest lesson here is the need for stricter dependency control. Automatic updates, while convenient, introduce real risk when not monitored properly. Teams should move toward version pinning, better audit practices, and controlled CI/CD pipelines.
Another key takeaway is visibility. Many organizations still lack proper monitoring of build systems and developer environments. Attackers are clearly shifting focus to these areas because they are often less protected than production systems.
Overall, this incident is a wake-up call. Security is no longer just about protecting servers—it now starts at the very first line of code you install.
