Axios npm Supply Chain Breach: Microsoft Shares Mitigation Steps
Microsoft hasdetailed how organizations can detect and mitigate a recent supply chain compromise involving malicious Axios npm releases and infrastructure attributed to the North Korean threat actor Sapphire Sleet.
On March 31, 2026, two Axios npm versions (1.14.1 and 0.30.4) were published with a hidden malicious dependency that contacted attacker command-and-control (C2) infrastructure and downloaded a second-stage remote access trojan (RAT).
Axios is one of the most widely used JavaScript HTTP clients, making this compromise particularly impactful across developer workstations, CI/CD pipelines, and production systems that auto-update dependencies.
The poisoned Axios versions do not alter application logic; instead, the attacker added a rogue dependency, [email protected], that executes silently at install time via npm lifecycle hooks.
Microsoft Threat Intelligence has attributed the underlying infrastructure and activity to Sapphire Sleet, a North Korean state actor known for financially motivated operations targeting cryptocurrency and fintech ecosystems.
This “phantom” dependency is never imported by Axios at runtime, so applications can appear to function normally while malware is installed during npm install or npm update on developer machines and CI/CD runners.
Axios npm Supply Chain
To build trust, the attacker first seeded a benign release, [email protected], and then followed with [email protected], which added an install-time script (setup.js) and a decoy manifest stub intended to hide traces after execution.
Axios 1.14.1 and 0.30.4 were then released with only manifest-level changes that added plain-crypto-js@^4.2.1 as a dependency, while skipping the project’s usual CI-backed publishing process and trusted publisher signals.
During npm install, the post-install hook runs node setup.js, which reconstructs obfuscated strings, fingerprints the platform, and contacts hxxp://sfrclak[.]com:8000/6202033 C2 infrastructure hosted on a VPS IP (142.11.206[.]73) linked to Sapphire Sleet operations.
All platforms talk to the same endpoint, but the client encodes OS selection via POST bodies (packagesckages.npm.org/product0|product1|product2), allowing the server to return tailored payloads for macOS, Windows, or Linux while keeping the client logic minimal.
On macOS, the loader drops a native binary named com.apple.act.mond into /Library/Caches, uses curl to download it from the C2 with the product0 marker, sets execute permissions, and launches it in the background via zsh, then cleans up temporary AppleScript components.
On Windows, the chain drops a VBScript stager in %TEMP%, which in turn pulls a PowerShell RAT (6202033.ps1) from the C2 with product1, persists via a hidden Run registry key, and masquerades as wt.exe under %PROGRAMDATA% to maintain stealth.
On Linux and other Unix-like systems, setup.js writes a Python file ld.py to /tmp, issues a curl request with product2 to the same C2 path, and executes the downloaded RAT with nohup python3 to detach execution and suppress output.
Across platforms, the installer then self-cleans by deleting its own loader and swapping in a clean-looking manifest to reduce forensic visibility in node_modules.
Microsoft’s mitigations
Microsoft reports that existing Microsoft Defender detections alerted customers to this activity and that additional protections have been rolled out to detect and block the malicious components and C2 patterns.
The company recommends that any user who installed Axios 1.14.1 or 0.30.4 immediately rotate all exposed secrets and credentials, downgrade to safe versions 1.14.0 or 0.30.3, and remove all malicious Axios artifacts before reinstalling clean packages.
Organizations are urged to harden npm usage by turning off auto-upgrades (removing ^ and ~ in package.json and pinning exact Axios versions), using overrides to force safe Axios versions even as transitive dependencies, and restricting automated dependency bots from silently bumping Axios.
Security teams should also review CI/CD logs for npm install events that resolved to the compromised versions or plain-crypto-js, scan developer and server file systems for those packages, and monitor for outbound connections to sfrclak[.]com or the associated IP on port 8000.
Beyond immediate containment, Microsoft advises adopting Trusted Publishing with OIDC to remove long-lived npm tokens and reduce the chance of account takeover leading to package hijacking.
Teams can leverage Microsoft Defender’s exposure management and advanced hunting capabilities to map the blast radius of affected endpoints, correlating identities, secrets, and cloud resources linked to compromised Axios deployments and prioritizing remediation of the most sensitive paths.
For Sapphire Sleet specifically, Microsoft notes that the group has a long record of monetization-driven campaigns that blend social engineering, cloud-hosted malware delivery, and supply chain abuse to steal cryptocurrency and high-value financial data.
This Axios incident underscores how quickly a compromised maintainer account or dependency can convert a trusted open-source component into a cross-platform malware delivery channel, emphasizing the need for rigorous dependency governance and layered endpoint defenses.