What Happened
On March 31, 2026, North Korean state-sponsored hackers compromised axios — one of the most downloaded JavaScript libraries in the world with over 100 million weekly installations. They published two malicious versions that silently installed a Remote Access Trojan (RAT) on any machine that updated or installed software during a roughly three-hour window that morning.
The RAT affects Windows, macOS, and Linux. It gives attackers persistent, silent access to the infected machine — and the machine looks completely clean.
The RAT affects Windows, macOS, and Linux. It gives attackers persistent, silent access to the infected machine — and the machine looks completely clean.
This was a state-sponsored, pre-planned operation attributed to North Korea. It is not a minor incident.
Why This May Affect Your Team
You do not need to have installed Axios directly to be at risk. Axios is embedded as a hidden dependency in thousands of software packages, developer tools, and build systems. If anyone on your team:
— Ran a software update or installed any developer tools on March 31, 2026 between midnight and 3am UTC (roughly 6pm–9pm Mountain Time, March 30)
— Uses Node.js, npm, or any JavaScript-based development tooling
— Had automated build pipelines or CI/CD systems running during that window
...their machine may have received the RAT without any visible sign.
The malicious versions were removed from the public registry within three hours, but any machine that installed during the window remains compromised until remediated.
— Ran a software update or installed any developer tools on March 31, 2026 between midnight and 3am UTC (roughly 6pm–9pm Mountain Time, March 30)
— Uses Node.js, npm, or any JavaScript-based development tooling
— Had automated build pipelines or CI/CD systems running during that window
...their machine may have received the RAT without any visible sign.
The malicious versions were removed from the public registry within three hours, but any machine that installed during the window remains compromised until remediated.
What the RAT Does
— Establishes persistent, silent access to the infected machine for the attacker
— Steals credentials stored on the machine — passwords, API keys, cloud access tokens, SSH keys
— Phones home to a command-and-control server for further instructions
— Self-destructs its installation artifacts — the machine appears completely clean
— Can execute arbitrary follow-on commands or download additional payloads
— Steals credentials stored on the machine — passwords, API keys, cloud access tokens, SSH keys
— Phones home to a command-and-control server for further instructions
— Self-destructs its installation artifacts — the machine appears completely clean
— Can execute arbitrary follow-on commands or download additional payloads
A compromised machine should be treated as fully owned. Do not attempt to clean it — rebuild from a known-clean backup.
Affected Versions
Malicious — Do Not Use
axios@1.14.1
axios@0.30.4
plain-crypto-js@4.2.1 <- hidden malicious dependency
Safe — Downgrade To
axios@1.14.0
axios@0.30.3
Detection
Important: If npm is not recognized — stop. Node.js is not installed and this machine is not at risk.
Windows — Command Prompt or PowerShell
npm list axios --depth=10
npm list plain-crypto-js
dir %PROGRAMDATA%\wt.exe
netstat -an | findstr 8000
macOS — Terminal
npm list axios --depth=10
npm list plain-crypto-js
ls /Library/Caches/com.apple.act.mond
lsof -i :8000
Linux — Terminal
ls /tmp/ld.py
npm list axios --depth=10
ss -tp | grep 8000
If a Machine Is Compromised
Step 1: Disconnect immediately.
Step 2: Do not attempt to clean. Rebuild from a known-clean backup or factory reset.
Step 3: Rotate all credentials — passwords, cloud tokens, SSH keys, .env files.
Step 4: Block — Domain sfrclak[.]com · IP 142.11.206[.]73 · Port TCP 8000
Step 5: Contact your IT security resource.
IOCs
Malicious Domain sfrclak[.]com
Malicious IP 142.11.206[.]73
C2 Port TCP 8000
Malicious Packages axios@1.14.1 / axios@0.30.4 / plain-crypto-js@4.2.1
Windows Artifact %PROGRAMDATA%\wt.exe
macOS Artifact /Library/Caches/com.apple.act.mond
Linux Artifact /tmp/ld.py
Attribution
Attributed by Microsoft, Google, Palo Alto Unit 42, and Sophos to North Korean state-sponsored threat actors. Pre-planned operation with infrastructure staged 18 hours before execution.
Sources: Microsoft Security Blog, Huntress, Elastic Security Labs, Palo Alto Unit 42, SANS Institute, Snyk, Sophos — published April 1–2, 2026.
Sources: Microsoft Security Blog, Huntress, Elastic Security Labs, Palo Alto Unit 42, SANS Institute, Snyk, Sophos — published April 1–2, 2026.
Barr Cyber — Supply Chain Security Assessment
Supply chain compromise is an advanced threat vector. If your team runs Node.js, npm, or CI/CD pipelines, Barr Cyber can assess your dependency exposure and harden your development environment.
Get in Touch →