It takes exactly 15 seconds. From the moment a developer types npm install axios to the moment a North Korean Remote Access Trojan (RAT) establishes a persistent backdoor on their machine. No firewall alerts. No immediate antivirus alarms. Just silent, total compromise.
March 2026 supply chain compromise of the Axios NPM package represents the absolute nightmare scenario for modern enterprise defense. Axios is a massively popular JavaScript HTTP client library boasting over 100 million weekly downloads. By compromising a single maintainer account, threat actors turned one of the internet’s most trusted building blocks into a weapon of mass distribution.
Today, we are moving past the headlines. We are going to break down exactly how this attack happened in plain English, map the attacker’s behaviors directly to the MITRE ATT&CK Framework, and look at the exact detection rules you need to catch threats like this in the wild.
Infographic conceptualized with AI
The Simple Explanation: The Bank and the Coffee Shop
If you aren’t deep into software engineering, the concept of a “transitive dependency poisoning” can sound like gibberish. Let’s simplify it.
Imagine a highly secure bank. It has armed guards, steel vaults, and laser alarms (these are your company’s Firewalls, EDRs, and SOC team). It is almost impossible to break into this bank from the outside. However, the bank guards order coffee every single morning from a trusted local cafe.
Instead of attacking the bank directly, a master thief steals the identity of the cafe manager. The thief slips a sleeping pill into the specific bag of coffee beans bound for the bank. The next morning, the automated delivery driver arrives at the bank. The guards check the ID, see it’s their trusted coffee supplier, and open the doors. The guards drink the coffee, fall asleep, and the thief easily walks into the vault.
In the Axios attack:
- The Secure Bank = Your company’s secure internal network or developer workstation.
- The Trusted Cafe = The Axios NPM package.
- The Poisoned Coffee = A hidden, malicious package injected into Axios called
plain-crypto-js. - The Delivery Driver = The automated
npm installcommand and itspostinstallhook.
The attacker bypassed the entire multi-million dollar security stack without firing a single shot at the perimeter.
Mapping the Attack Lifecycle (MITRE ATT&CK)
When a Tier-3 defender analyzes an attack, we don’t just look at file hashes (IoCs)—we look at behaviors (TTPs). By mapping the Axios attack to the MITRE matrix, we can understand exactly how the North Korean threat actors (tracked as UNC1069 or Sapphire Sleet) executed their campaign.
1. Initial Access (Getting a foot in the door)
The attackers did not exploit a vulnerability in Axios’s code. Instead, they hijacked the legitimate NPM account of the lead Axios maintainer.
- Tactic: Initial Access (TA0001)
- Technique: Valid Accounts (T1078)
- Technique: Supply Chain Compromise (T1195.002)
- The Procedure: The attacker published two backdoored releases (Axios 1.14.1 and 0.30.4). They injected a “phantom dependency” named
plain-crypto-jsinto the package.
- The Procedure: The attacker published two backdoored releases (Axios 1.14.1 and 0.30.4). They injected a “phantom dependency” named
2. Execution (Running the malicious code)
When a developer (or a CI/CD pipeline) installed the poisoned Axios update, the system automatically resolved the dependency tree and pulled down the malware.
- Tactic: Execution (TA0002)
- Technique: Command and Scripting Interpreter: JavaScript (T1059.007)
- The Procedure: The malware abused NPM’s legitimate
postinstallhook to silently execute a heavily obfuscated Node.js dropper script namedsetup.jsin the background.
- The Procedure: The malware abused NPM’s legitimate
3. Defense Evasion (Hiding from the security guards)
This is where the attackers showed their sophistication. To execute the final payload on Windows, the JavaScript dropper needed a stronger tool. It copied the legitimate Windows powershell.exe, moved it to a hidden folder (C:\ProgramData\), and renamed it to wt.exe (masquerading as the Windows Terminal app).
- Tactic: Defense Evasion (TA0005)
- Technique: Masquerading (T1036.003)
- Technique: Indicator Removal on Host (T1070.004)
- The Procedure: After executing, the
setup.jsdropper performed aggressive anti-forensic cleanup. It deleted itself, removed thepostinstallhook, and replaced the tampered package metadata with clean versions to erase its tracks.
- The Procedure: After executing, the
The Escape: Exfiltration & Command and Control
How does the data actually get out of the company? Firewalls are great at blocking attackers from coming in, but they struggle to stop things from going out.
The malware deployed in this attack (the WAVESHAPER.V2 RAT) uses a classic “Reverse Connection.” Instead of the North Korean hackers trying to push through your firewall, the malware installed on the developer’s machine is programmed to “phone home.”
- Tactic: Command and Control (TA0011)
- Technique: Web Protocols (T1071.001)
The WAVESHAPER RAT scrapes the developer’s machine for AWS keys, npm tokens, and CI/CD secrets. It encrypts this loot and sends it outbound to the attacker’s Command and Control (C2) server located at sfrclak[.]com:8000 (IP: 142.11.206.73). To the firewall, this outbound connection just looks like routine web traffic, allowing the stolen data to walk right out the front door.
Hunting the Threat: Tier-3 Detection Rules
If you rely purely on static antivirus signatures, a self-deleting script and a renamed native Windows binary will beat you every time. You must hunt for the behavior.
Here are two Sigma rules that target the core anomalies of the Axios compromise. You can translate these directly into Splunk, Microsoft Sentinel, or Elastic.
Rule 1: Detecting the Renamed PowerShell (Behavioral) This rule catches the defense evasion phase. Even if the attacker renames the file to wt.exe, the internal metadata (the OriginalFileName) still proves it is PowerShell.
title: Potential Axios Supply Chain RAT Dropper - Renamed PowerShellid: 5a9b2c3d-xxxx-xxxx-xxxx-xxxxxxxxxxxxstatus: stabledescription: Detects the execution of a renamed PowerShell binary as 'wt.exe' in the ProgramData directory, a behavior associated with the WAVESHAPER RAT deployed in the Axios NPM compromise.author: SOC Analysttags: - attack.execution - attack.defense_evasion - attack.t1059.001 - attack.t1036.003logsource: category: process_creation product: windowsdetection: selection: Image|endswith: '\ProgramData\wt.exe' OriginalFileName: 'PowerShell.EXE' condition: selectionfalsepositives: - None expected. The legitimate wt.exe does not have an OriginalFileName of PowerShell.EXE.level: highRule 2: Detecting the C2 Network Beaconing This rule targets the exact known malicious infrastructure used by the plain-crypto-js package to exfiltrate data.
title: Axios Supply Chain RAT C2 Network Communicationid: 7f8a9b2c-xxxx-xxxx-xxxx-xxxxxxxxxxxxstatus: stabledescription: Detects outbound network connections to the known Command and Control (C2) infrastructure associated with the Axios (plain-crypto-js) NPM supply chain attack.author: SOC Analysttags: - attack.command_and_control - attack.exfiltration - attack.t1071.001logsource: category: network_connection product: windowsdetection: selection_domain: DestinationHostname: 'sfrclak.com' selection_ip: DestinationIp: '142.11.206.73' selection_port: DestinationPort: 8000 condition: 1 of selection_*falsepositives: - None. This is dedicated malicious infrastructure.level: criticalThe Takeaway
The Axios compromise is a stark reminder that legacy security architecture is failing. We can no longer assume that software is safe simply because it comes from a historically trusted source. Modern cyber defense requires us to monitor the runtime behavior of our applications, restrict automated script executions in our CI/CD pipelines, and map our detection capabilities directly to the MITRE ATT&CK framework.
You cannot defend against what you do not understand. Shift your focus from the weapons to the behaviors, and stay tactical.
Leave a Reply