A serious supply chain security attack has been revealed, targeting Axios, one of the most widely used JavaScript HTTP client libraries worldwide. If your applications, CI/CD pipelines, or development tools depend on npm packages, this threat may directly affect you. The risk can remain even after a standard package update.
What Happened?
On March 30, 2026, a serious supply chain attack hit the official Axios npm package. Researchers discovered that versions 1.14.1 and 0.30.4 of Axios, uploaded to the npm registry, were affected. The attack happened after someone took control of a legitimate maintainer’s account. This allowed the attacker to publish unauthorized package updates that looked completely legitimate to both end users and automated systems.
These tampered releases added a harmful dependency that runs automatically during installation. This dependency installs a cross-platform Remote Access Trojan (RAT), putting Windows, macOS, and Linux systems at risk.
“The affected releases introduced a malicious dependency that executes during installation and deploys a cross‑platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform‑specific second‑stage payloads.”
— Sophos Counter Threat Unit Research Team
Who Is Behind This Attack?
This is not simply a random attack. Research from Sophos Counter Threat Unit (CTU) shows that forensic analysis of the Axios npm breach uncovered evidence closely linked to the NICKEL GLADSTONE threat group, a state-sponsored group aimed at profiting the North Korean regime.
The evidence linking this attack to NICKEL GLADSTONE includes identical forensic metadata, matching command-and-control (C2) patterns, and ties to malware associated only with this group. Sophos researchers believe it is very likely that NICKEL GLADSTONE is behind these attacks.
How Does the Malware Work?
The attack chain aims to be stealthy and persistent. Here is what occurs after a compromised version of Axios is installed:
- Installation Trigger: The malicious dependency executes a
setup.jsscript automatically during thenpm installprocess — no additional user action required. - First-Stage Payload: The script reaches out to a C2 server (
sfrclak[.]com:8000) and downloads a platform-specific first-stage payload (e.g.,system.baton Windows). - Cross-Platform RAT Deployment: Second-stage payloads are then retrieved and executed, a PowerShell RAT on Windows, a Python-based payload (
ld.py) on Linux, and a daemon (com.apple.act.mond) on macOS. - Evidence Removal: After execution, the Malware removes installation artifacts and replaces its own package metadata with a clean version to actively evade forensic detection.
- Persistence: The Malware establishes persistence mechanisms, particularly on Windows, via
C:\ProgramData\wt.exeandC:\ProgramData\system.bat.
This self-cleaning behavior is particularly risky. Just updating the Axios package does not ensure your system is clean. The malware may already have established a lasting presence before you applied any fix.
Which Platforms Are Affected?
Sophos first detected activity in customer telemetry at about 00:45 UTC on March 31, 2026. They noted widespread impact by 01:00 UTC. The malware is cross-platform and confirmed to target:
🪟 Windows
PowerShell-based RAT dropped via system.bat. Persists at C:\ProgramData\wt.exe.
🍎 macOS
Malicious daemon disguised as com.apple.act.mond a legitimate Apple process.
🐧 Linux
Python-based payload (ld.py) deployed for remote access and credential theft.
Why Should You Care, Even If You Don’t Use Axios Directly?
Axios is one of the most downloaded npm packages in the ecosystem and is used by millions of JavaScript and Node.js projects. The risk isn’t just for developers who directly include Axios in their package.json. Here are some exposure scenarios to think about:
- Transitive dependency exposure: Another package you use may depend on Axios behind the scenes. You may have installed the compromised version without knowing.
- CI/CD pipeline risk: Automated build and deployment pipelines running
npm installduring the affected window could have pulled down the malicious version. - Developer workstations: Any developer who ran an install on March 30–31, 2026, within the affected timeframe may have an active RAT on their machine.
- Cloud and container builds: Docker images or serverless functions built during the affected window may contain malware and could be running in production right now.
What You Should Do Right Now
Do not wait. If there is any chance your environment was exposed, treat it as a possible compromise. Here are the steps recommended by Sophos CTU researchers and the wider security community:
1. Audit Your Axios Versions
Check all projects and environments (including Docker images, CI/CD runners, and developer machines) for Axios versions 1.14.1 or 0.30.4. Run:
npm list axios --depth=102. Update to a Clean Version Immediately
Update to the latest safe, verified release of Axios from the official npm registry. Confirm the integrity of the version using the SHA256 hashes published by Sophos (listed in the Indicators section below).
3. Audit System and Application Logs
Review logs for unusual network connections, especially any outbound traffic to sfrclak[.]com or 142[.]11[.]206[.]73. Look for suspicious process creation, unexpected PowerShell execution, or unusual startup items.
4. Check for Persistence Indicators
On Windows systems, check for the existence of:
C:\ProgramData\wt.exe
C:\ProgramData\system.batOn macOS, check for unauthorized launch daemons or agents named com.apple.act.mond. On Linux, look for unexpected Python scripts, particularly ld.py.
5. Rebuild Compromised Environments
If you have confirmed that the malicious version was installed, do not simply remove the package and move on. The Malware self-removes its tracks. Treat any affected machine as fully compromised, rebuild from a clean baseline, and rotate all secrets, tokens, API keys, and credentials that may have been accessible from that environment.
Threat Indicators (IOCs)
Sophos has published the following indicators of compromise (IOCs) to detect activity related to this threat. Note: Do not navigate to these URLs or domains in a browser.
| Indicator | Type | Context |
|---|---|---|
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd | SHA256 | Malicious Axios 1.14.1 package |
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f | SHA256 | Malicious Axios 0.30.4 package |
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 | SHA256 | Artifact: setup.js (installer payload) |
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 | SHA256 | Windows 2nd-stage PowerShell RAT |
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a | SHA256 | macOS payload (com.apple.act.mond) |
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf | SHA256 | Linux payload (ld.py) |
sfrclak[.]com | Domain | C2 server |
callnrwise[.]com | Domain | Linked to attackers |
142[.]11[.]206[.]73 | IP Address | C2 server |
hxxp://sfrclak[.]com:8000/6202033 | URL | Second-stage payload download URL |
Sophos Detections
If you are running Sophos endpoint protection, the following detection signatures cover this threat:
JS/Agent-BLYBTroj/PSAgent-CNTroj/PyAgent-BZOSX/NukeSped-CBWIN-EVA-PRC-RENAMED-POWERSHELL-1
The Bigger Picture: Supply Chain Security
This incident highlights the risks in today’s software supply chains. We create applications using many open-source dependencies, and each one can be a target for an attacker. Just one hacked maintainer account was enough to introduce malware into a package that has tens of millions of weekly downloads.
Organizations should see this as a wake-up call to rethink their approach to dependency security.
- Use lockfiles (
package-lock.jsonoryarn.lock) and verify integrity hashes. - Consider private npm registries or dependency proxies that allow controlled vetting before packages reach your pipelines.
- Implement runtime monitoring on build environments to detect unexpected network connections during install steps.
- Enable two-factor authentication (2FA) on all npm accounts, especially those with publish rights.
- Use tools like Socket.dev, Aikido Security, or similar SCA (Software Composition Analysis) platforms to flag malicious or compromised packages in real time.
📚 References & Further Reading
- 🔗 Sophos CTU Research: Axios npm package compromised to deploy Malware
- 🔗 Socket.dev: Axios npm Package Compromised
- 🔗 StepSecurity: Axios Compromised on npm — Malicious Versions Drop Remote Access Trojan
- 🔗 Aikido Security: Axios npm Compromised — Maintainer Hijacked, RAT Deployed
This post is intended for informational purposes. IOCs and indicators sourced from Sophos Counter Threat Unit™ research. Always verify threat intelligence with your internal security team before acting on it.
