Threat Research

Mitigating the Axios npm supply chain compromise

Microsoft
Mitigating the Axios npm supply chain compromise

Two malicious Axios npm releases ([email protected] and [email protected]) injected a runtime dependency [email protected] that executed a post-install hook to download OS-specific RAT payloads from a Sapphire Sleet-controlled C2 (hxxp://sfrclak[.]com:8000/6202033). Users of affected versions should immediately rotate credentials, downgrade to safe Axios versions (1.14.0 or 0.30.3), disable auto-updates, and follow the provided mitigations. #SapphireSleet #Axios

Keypoints

  • Malicious Axios releases (1.14.1 and 0.30.4) added a fake dependency [email protected] that executes during npm post-install to fetch a second-stage RAT from a single C2.
  • The attack leveraged install-time execution via a postinstall hook (node setup.js) so infection could occur silently on developer workstations and CI/CD systems during npm install or npm update.
  • The C2 domain sfrclak[.]com (resolving to 142.11.206[.]73) served platform-specific payloads via a static path (/6202033) and POST identifiers (packages.npm.org/product0|product1|product2) for macOS, Windows, and Linux.
  • Second-stage payloads: macOS native binary (/Library/Caches/com.apple.act.mond), Windows PowerShell (6202033.ps1) with persistence via HKCU run key and %PROGRAMDATA%wt.exe, and Linux Python loader (/tmp/ld.py).
  • Microsoft Defender detections blocked and alerted on multiple stages; Microsoft disabled the publisher account for the malicious plain-crypto-js package and added protections and hunting queries for affected customers.
  • Immediate remediation: roll back to safe Axios versions, clean npm cache, rotate secrets, remove compromised files, pin or override package versions, and disable postinstall scripts where feasible.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – Adversary poisoned widely used npm packages (Axios) and injected a malicious dependency to achieve downstream execution during install. Quote: ‘two malicious versions of Axios npm packages were released… add plain-crypto-js@^4.2.1 as a dependency’
  • [T1105 ] Ingress Tool Transfer – The post-install hook downloaded second-stage RAT payloads from an attacker-controlled server. Quote: ‘connects to hxxp://sfrclak[.]com:8000/6202033 to fetch the next stage.’
  • [T1059 ] Command and Scripting Interpreter – The attack used multiple script interpreters (node, PowerShell, AppleScript, Python, VBScript, shell) to reconstruct strings and run payloads. Quote: ‘node setup.js … launches hidden cmd.exe to POST packages.npm.org/product1 … executes it with hidden window and execution-policy bypass’
  • [T1027 ] Obfuscated Files or Information – Setup.js used layered obfuscation to reconstruct sensitive strings at runtime to hide intent and evade detection. Quote: ‘uses layered obfuscation to reconstruct sensitive strings (module names, platform identifiers, file paths, and command templates) at runtime.’
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication used HTTP POST to a single URL for command-and-control and payload retrieval. Quote: ‘POST bodies packages.npm.org/product0|product1|product2 … hxxp://sfrclak[.]com:8000/6202033’
  • [T1547.001 ] Registry Run Keys / Startup Folder – Windows persistence was established by adding a run key under HKCU to re-fetch the RAT at sign-in. Quote: ‘adds a registry run key at HKCU:SoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate to enable re-fetching of RAT after every reboot.’
  • [T1070.004 ] Indicator Removal on Host: File Deletion – Installer logic removed the original loader and manifest to hinder post-incident inspection. Quote: ‘removes its own loader (setup.js) and removes the manifest (package.json) that contained the install trigger.’
  • [T1082 ] System Information Discovery – The Windows PowerShell RAT collected detailed system and hardware information to generate a host identifier and inventory. Quote: ‘generates a unique host identifier, collects detailed system and hardware information (including OS version, boot time, installed hardware, and running processes)’
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – The threat renamed or used benign-looking filenames (for example wt.exe and com.apple.act.mond) to evade detection. Quote: ‘copies and renames the PowerShell into %PROGRAMDATA%wt.exe (masquerading as a benign-looking executable name)’

Indicators of Compromise

  • [Domain ] C2 domain – sfrclak[.]com
  • [IP address ] C2 IP (VPS hosting) – 142.11.206[.]73
  • [URL ] C2 URL/path – hxxp://sfrclak[.]com:8000/6202033
  • [Packages / Versions ] Malicious npm packages and versions – [email protected], [email protected], [email protected]
  • [File path / filename ] macOS artifact and location – /Library/Caches/com.apple.act.mond (SHA-256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a)
  • [File path / filename ] Windows artifacts and locations – %TEMP%6202033.ps1 (PowerShell payload, SHA-256: ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c), %PROGRAMDATA%wt.exe (persistent proxy executable)
  • [File path / filename ] Linux artifact and location – /tmp/ld.py (Python loader, SHA-256: fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf)
  • [Hashes ] Example SHA-256 hashes – 92ff0877… (macOS binary), ed8560c1… (Windows PowerShell payload), and 3 more hashes
  • [Registry key ] Persistence indicator – HKCU:SoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate (run key created by RAT)
  • [HTTP POST identifiers ] Client POST body indicators – packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux)

Read more: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint