Axios npm compromise (North Korea-nexus RAT)
Lead-maintainer account compromised via social engineering. Two malicious axios releases pulled in plain-crypto-js, whose postinstall fetched a cross-platform RAT from sfrclak[.]com:8000. Microsoft + Google attribute to Sapphire Sleet / UNC1069 (North Korea-nexus). Live for ~3 hours; ~100M weekly downloads in scope.
- Threat actor
- Sapphire Sleet / UNC1069
- Detected by
- Wiz · StepSecurity
- Also known as
- DPRK-nexus axios compromise
- Ecosystems
- npm
- Packages tracked
- 4
What happened
On 31 March 2026 the lead maintainer of axios — the most-downloaded HTTP client on npm at roughly 100M weekly downloads — fell to a social-engineering attack against their npm account. Two backdoored releases shipped within 40 minutes: axios@1.14.1 at 00:21 UTC and the legacy-line axios@0.30.4 at 01:00 UTC.
Both versions added a new runtime dependency on plain-crypto-js@4.2.1. That package's postinstall script reached out to sfrclak[.]com:8000 to fetch a cross-platform RAT supporting macOS, Windows and Linux. The implant exposes a remote shell, in-memory binary injection, host reconnaissance, and beacons every 60 seconds for tasking. A secondary domain callnrwise[.]com and IP 142.11.206.73 were also observed.
- Attacker contact addresses:
ifstap@proton.me,nrwise@proton.me. - npm advisory:
GHSA-fw8c-xr5c-95f9; OSV:MAL-2026-2306. - Setup payload SHA-256:
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09.
Microsoft and Google attribute the operation to Sapphire Sleet / UNC1069, a North Korea-nexus cluster historically focused on crypto and developer credential theft. The malicious versions were live for around three hours before npm pulled them, but any CI pipeline that resolved a floating range during that window will have pulled plain-crypto-js as a transitive and executed the postinstall.
Affected packages (4)
- npm
@qqbrowser/openclaw-qbot0.0.130 - npm
@shadanai/openclaw2026.3.28-22026.3.28-32026.3.31-12026.3.31-2 - npm
axios1.14.10.30.4 - npm
plain-crypto-js4.2.1
Impact
- Cross-platform RAT (macOS/Windows/Linux) with shell, binary injection, recon
- Beacons to sfrclak[.]com:8000 every 60s for tasking
- Maintainer workstation compromise → npm account takeover
- Anywhere in CI/CD that resolved the malicious version on install
What to do
- 1Audit axios usage; pin away from 1.14.1 / 0.30.4
- 2Reinstall dependencies after pinning, in a clean environment
- 3Rotate any credential reachable from build runners during the exposure window
- 4Search egress logs for sfrclak.com, callnrwise.com, 142.11.206.73
- 5Hunt for setup.js by hash e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09