Axios npm Supply Chain Attack (March 2026)
Summary
On March 31, 2026, two backdoored releases of the Axios JavaScript HTTP client library (versions 1.14.1 and 0.30.4) were published to the npm registry via a compromised maintainer account, injecting a malicious dependency that delivered the WAVESHAPER.V2 cross-platform remote access trojan to macOS, Windows, and Linux systems. The malicious packages were live for approximately three hours before removal; the attack has been attributed to UNC1069 (also tracked as Sapphire Sleet), a North Korean state-sponsored threat actor. CISA issued a formal advisory on April 20, 2026.
Connected Entities
1 entities · 10 linked investigationsTimeline(12 events)
2026-03-30
Plain-crypto-js@4.2.0 (pre-staging, non-malicious) published to npm at 05:57 UTC. Malicious plain-crypto-js@4.2.1 published at 23:59 UTC.
The Hacker News2026-03-31
Malicious axios@1.14.1 published to npm at 00:21 UTC; axios@0.30.4 published at approximately 01:00 UTC. Both versions inject plain-crypto-js@4.2.1 to deliver the WAVESHAPER.V2 RAT.
Axios GitHub Post-Mortem (Issue #10636)2026-03-31
Community member and collaborator DigitalBrainJS opens a deprecation PR and contacts npm security directly at approximately 01:38 UTC, initiating takedown.
Axios GitHub Post-Mortem (Issue #10636)2026-03-31
Malicious axios versions removed from npm registry at 03:15 UTC; plain-crypto-js removed at 03:29 UTC. Total attack window: approximately 2 hours 54 minutes.
Axios GitHub Post-Mortem (Issue #10636)2026-04-01
Microsoft Threat Intelligence publicly attributes the compromise to Sapphire Sleet, a North Korean state-sponsored threat actor, and publishes mitigation guidance.
Microsoft Security Blog2026-04-01
Unit 42 (Palo Alto Networks) publishes initial threat brief with IOCs, malware analysis, and remediation guidance.
Unit 42 — Palo Alto Networks2026-04-01
Axios lead maintainer jasonsaayman publicly confirms the compromise was the result of a targeted multi-week social engineering campaign involving a fake corporate identity and a malicious software installer delivered during an MS Teams meeting.
Cybersecurity News2026-04-01
Help Net Security reports North Korean hackers linked to the compromise, citing Google Threat Intelligence and Mandiant attribution to UNC1069.
Help Net Security2026-04-09
Unit 42 adds Advanced Threat Prevention detection coverage for the WAVESHAPER.V2 variants.
Unit 42 — Palo Alto Networks2026-04-13
Unit 42 issues clarifications on Windows RAT execution mechanics; Cortex AgentiX coverage added.
Unit 42 — Palo Alto Networks2026-04-20
CISA issues formal advisory alerting organizations to the supply chain compromise, with detailed remediation steps including credential rotation, C2 blocking, and npm hardening guidance.
CISA2026-05-19
Unit 42 formally closes active threat monitoring for this incident.
Unit 42 — Palo Alto NetworksDecision Log
- hash: 73ZvoqJ7AHDtpQaK9kzHc1UBshxcFRkbbfKTqhanFHAv
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/19/2026, 11:09:34 PM
last updated: 6/19/2026, 11:09:44 PM
avoid.net — verified advice for a post-truth world