Supply chain [SC] Supply Chain

Axios npm Supply Chain Compromise - Sapphire Sleet (DPRK) RAT Delivery

2026-03-31 [vendor] axios (npm HTTP client library) [malware] Sapphire Sleet RAT
Primary Source ↗

Incident Details

On March 31, 2026, Sapphire Sleet (a North Korean state-sponsored threat actor tracked by Microsoft) published two malicious versions of axios (1.14.1 and 0.30.4) to npm. Axios is one of the most widely used JavaScript HTTP client libraries with over 70 million weekly downloads. The malicious versions injected a backdoored dependency that connected to attacker-controlled C2 infrastructure (sfrclak[.]com). Upon successful C2 connection, a second-stage remote access trojan (RAT) was deployed targeting macOS, Windows, and Linux. Microsoft published detection and mitigation guidance on April 1, 2026. Safe versions are 1.14.0 and 0.30.3. Recommended response includes rotating all secrets and credentials, reviewing CI/CD pipeline logs for outbound C2 connections, and disabling postinstall scripts. The incident is attributed to the same North Korean actor responsible for TraderTraitor/UNC4736 campaigns targeting the crypto/DeFi sector.

Technical Details

Initial Attack Vector
Sapphire Sleet (North Korean state actor) compromised the npm publishing credentials for axios, one of the most popular JavaScript HTTP client libraries (~70 million weekly downloads), and published malicious versions 1.14.1 and 0.30.4 containing a backdoored dependency connecting to attacker C2
Vendor / Product
axios (npm HTTP client library)
Software Package
axios
Malware Family
Sapphire Sleet RAT
Supply Chain Attack
✅ Confirmed third-party / vendor compromise

Timeline

  1. 2026-03-31 Breach occurred
  2. 2026-03-31 Publicly disclosed