Critical Security Alert: Axios npm Package Compromised to Deploy Malware

Axios npm Package Compromised

A serious supply chain security attack has been revealed, targeting Axios, one of the most widely used JavaScript HTTP client libraries worldwide. If your applications, CI/CD pipelines, or development tools depend on npm packages, this threat may directly affect you. The risk can remain even after a standard package update.

What Happened?

On March 30, 2026, a serious supply chain attack hit the official Axios npm package. Researchers discovered that versions 1.14.1 and 0.30.4 of Axios, uploaded to the npm registry, were affected. The attack happened after someone took control of a legitimate maintainer’s account. This allowed the attacker to publish unauthorized package updates that looked completely legitimate to both end users and automated systems.

These tampered releases added a harmful dependency that runs automatically during installation. This dependency installs a cross-platform Remote Access Trojan (RAT), putting Windows, macOS, and Linux systems at risk.

“The affected releases introduced a malicious dependency that executes during installation and deploys a cross‑platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform‑specific second‑stage payloads.”

— Sophos Counter Threat Unit Research Team

Who Is Behind This Attack?

This is not simply a random attack. Research from Sophos Counter Threat Unit (CTU) shows that forensic analysis of the Axios npm breach uncovered evidence closely linked to the NICKEL GLADSTONE threat group, a state-sponsored group aimed at profiting the North Korean regime.

The evidence linking this attack to NICKEL GLADSTONE includes identical forensic metadata, matching command-and-control (C2) patterns, and ties to malware associated only with this group. Sophos researchers believe it is very likely that NICKEL GLADSTONE is behind these attacks.

How Does the Malware Work?

The attack chain aims to be stealthy and persistent. Here is what occurs after a compromised version of Axios is installed:

  1. Installation Trigger: The malicious dependency executes a setup.js script automatically during the npm install process — no additional user action required.
  2. First-Stage Payload: The script reaches out to a C2 server (sfrclak[.]com:8000) and downloads a platform-specific first-stage payload (e.g., system.bat on Windows).
  3. Cross-Platform RAT Deployment: Second-stage payloads are then retrieved and executed, a PowerShell RAT on Windows, a Python-based payload (ld.py) on Linux, and a daemon (com.apple.act.mond) on macOS.
  4. Evidence Removal: After execution, the Malware removes installation artifacts and replaces its own package metadata with a clean version to actively evade forensic detection.
  5. Persistence: The Malware establishes persistence mechanisms, particularly on Windows, via C:\ProgramData\wt.exe and C:\ProgramData\system.bat.

This self-cleaning behavior is particularly risky. Just updating the Axios package does not ensure your system is clean. The malware may already have established a lasting presence before you applied any fix.

Which Platforms Are Affected?

Sophos first detected activity in customer telemetry at about 00:45 UTC on March 31, 2026. They noted widespread impact by 01:00 UTC. The malware is cross-platform and confirmed to target:

🪟 Windows

PowerShell-based RAT dropped via system.bat. Persists at C:\ProgramData\wt.exe.

🍎 macOS

Malicious daemon disguised as com.apple.act.mond a legitimate Apple process.

🐧 Linux

Python-based payload (ld.py) deployed for remote access and credential theft.

Why Should You Care, Even If You Don’t Use Axios Directly?

Axios is one of the most downloaded npm packages in the ecosystem and is used by millions of JavaScript and Node.js projects. The risk isn’t just for developers who directly include Axios in their package.json. Here are some exposure scenarios to think about:

  • Transitive dependency exposure: Another package you use may depend on Axios behind the scenes. You may have installed the compromised version without knowing.
  • CI/CD pipeline risk: Automated build and deployment pipelines running npm install during the affected window could have pulled down the malicious version.
  • Developer workstations: Any developer who ran an install on March 30–31, 2026, within the affected timeframe may have an active RAT on their machine.
  • Cloud and container builds: Docker images or serverless functions built during the affected window may contain malware and could be running in production right now.

What You Should Do Right Now

Do not wait. If there is any chance your environment was exposed, treat it as a possible compromise. Here are the steps recommended by Sophos CTU researchers and the wider security community:

1. Audit Your Axios Versions

Check all projects and environments (including Docker images, CI/CD runners, and developer machines) for Axios versions 1.14.1 or 0.30.4. Run:

npm list axios --depth=10

2. Update to a Clean Version Immediately

Update to the latest safe, verified release of Axios from the official npm registry. Confirm the integrity of the version using the SHA256 hashes published by Sophos (listed in the Indicators section below).

3. Audit System and Application Logs

Review logs for unusual network connections, especially any outbound traffic to sfrclak[.]com or 142[.]11[.]206[.]73. Look for suspicious process creation, unexpected PowerShell execution, or unusual startup items.

4. Check for Persistence Indicators

On Windows systems, check for the existence of:

C:\ProgramData\wt.exe
C:\ProgramData\system.bat

On macOS, check for unauthorized launch daemons or agents named com.apple.act.mond. On Linux, look for unexpected Python scripts, particularly ld.py.

5. Rebuild Compromised Environments

If you have confirmed that the malicious version was installed, do not simply remove the package and move on. The Malware self-removes its tracks. Treat any affected machine as fully compromised, rebuild from a clean baseline, and rotate all secrets, tokens, API keys, and credentials that may have been accessible from that environment.

Threat Indicators (IOCs)

Sophos has published the following indicators of compromise (IOCs) to detect activity related to this threat. Note: Do not navigate to these URLs or domains in a browser.

IndicatorTypeContext
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cdSHA256Malicious Axios 1.14.1 package
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0fSHA256Malicious Axios 0.30.4 package
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09SHA256Artifact: setup.js (installer payload)
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101SHA256Windows 2nd-stage PowerShell RAT
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645aSHA256macOS payload (com.apple.act.mond)
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cfSHA256Linux payload (ld.py)
sfrclak[.]comDomainC2 server
callnrwise[.]comDomainLinked to attackers
142[.]11[.]206[.]73IP AddressC2 server
hxxp://sfrclak[.]com:8000/6202033URLSecond-stage payload download URL

Sophos Detections

If you are running Sophos endpoint protection, the following detection signatures cover this threat:

  • JS/Agent-BLYB
  • Troj/PSAgent-CN
  • Troj/PyAgent-BZ
  • OSX/NukeSped-CB
  • WIN-EVA-PRC-RENAMED-POWERSHELL-1

The Bigger Picture: Supply Chain Security

This incident highlights the risks in today’s software supply chains. We create applications using many open-source dependencies, and each one can be a target for an attacker. Just one hacked maintainer account was enough to introduce malware into a package that has tens of millions of weekly downloads.

Organizations should see this as a wake-up call to rethink their approach to dependency security.

  • Use lockfiles (package-lock.json or yarn.lock) and verify integrity hashes.
  • Consider private npm registries or dependency proxies that allow controlled vetting before packages reach your pipelines.
  • Implement runtime monitoring on build environments to detect unexpected network connections during install steps.
  • Enable two-factor authentication (2FA) on all npm accounts, especially those with publish rights.
  • Use tools like Socket.dev, Aikido Security, or similar SCA (Software Composition Analysis) platforms to flag malicious or compromised packages in real time.

📚 References & Further Reading


This post is intended for informational purposes. IOCs and indicators sourced from Sophos Counter Threat Unit™ research. Always verify threat intelligence with your internal security team before acting on it.

Scroll to Top