Another supply chain security threat emerged this week with the compromise of Axios. It is a popular JavaScript HTTP library, but for three hours, it served to publish cross-platform Remote Access Trojans (RATs). Lead maintainer Jason Saayman has now written a detailed post-mortem on GitHub. In it, he reveals an elaborate social engineering campaign carried out by the North Korean group UNC1069.
The compromised versions, axios@1.14.1 and axios@0.30.4, were live for roughly three hours before removal. Axios has over 300 million weekly downloads and is used in virtually every Node.js and browser project that makes HTTP requests. This very popularity evidently painted a target on its back.
The attack was attributed to the North Korean group UNC1069, as mentioned on April 1. The group is financially motivated and has previously targeted cryptocurrency companies. However, the move to compromise open source projects now also appears to be a key attack vector. The npm ecosystem, for example, has seen a series of related incidents in recent months. In December, the Shai-Hulud 2.0 worm stole developer secrets from hundreds of packages using the same post-install script technique.
Fake Teams call deployed the RAT
The social engineering campaign was elaborate. Attackers cloned the identity of a real company founder, set up a convincingly branded Slack workspace complete with fake team profiles, and scheduled a Microsoft Teams meeting. During the call, Saayman was prompted to install what appeared to be a missing software component. However, that installation was the RAT. “Everything was extremely well co-ordinated, looked legit and was done in a professional manner,” Saayman wrote. Despite 2FA being active, once the RAT was on his machine, attackers had full control over everything on it, bypassing all software-based authentication measures entirely.
Both malicious versions injected a fake dependency, namely plain-crypto-js@4.2.1, that ran a post-install script delivering platform-specific RAT payloads. On macOS, Windows, and Linux, the malware connected to a command-and-control server at sfrclak.com:8000. The dropper then removed its own traces from node_modules, leaving the folder looking clean.
Remediation steps and planned changes
Anyone who ran a fresh npm install between 00:21 and 03:15 UTC on March 31 should treat affected machines as compromised. Recommended steps: downgrade to axios@1.14.0 (or 0.30.3 for 0.x users), delete node_modules/plain-crypto-js, rotate all credentials, and check network logs for connections to sfrclak[.]com or 142.11.206.73 on port 8000. Secrets injected during CI/CD builds in that window also need rotating.
The Axios project is now adopting OIDC-based publishing to remove long-lived npm credentials from the equation, implementing an immutable release setup, and updating its GitHub Actions workflows. All devices used by Saayman were wiped and credentials reset across every platform. A contributor noted in the thread that npm currently offers no option to enforce OIDC-only publishing at the registry level. This is unlike registries such as crates.io. Microsoft published mitigation guidance on April 1. Datadog Security Labs also published a full attack flow analysis. The investigation is ongoing.