A North Korea-linked threat actor (UNC1069) hijacked the npm account of an axios maintainer and published two backdoored versions. They were live for ~3 hours before npm removed them.
- 00:21 — Malicious
[email protected]published (latest dist-tag) - 00:39 — Malicious
[email protected]published (legacy dist-tag) - ~03:15 — npm removes compromised versions
Both versions added a hidden dependency: [email protected] (typosquat of crypto-js). Its postinstall hook downloaded a cross-platform RAT from sfrclak[.]com:8000, then erased itself.
Platform-specific payloads:
- macOS:
/Library/Caches/com.apple.act.mond - Windows:
%PROGRAMDATA%\wt.exe(PowerShell via VBScript) - Linux:
/tmp/ld.py
You're at risk if you ran npm install on any project between 00:21–03:15 UTC on March 31, 2026.
grep -r "axios.*1\.14\.1\|axios.*0\.30\.4\|plain-crypto-js" \
package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "INFECTED" || echo "Clean"
# Linux
ls -la /tmp/ld.py 2>/dev/null && echo "INFECTED" || echo "Clean"
# Windows (PowerShell)
Test-Path "$env:PROGRAMDATA\wt.exe"# Active C2 connections
lsof -i -n | grep -E "sfrclak|142\.11\.206\.73"
# DNS history (macOS)
log show --predicate 'process == "mDNSResponder"' --last 2d | grep sfrclak| Indicator | Type |
|---|---|
sfrclak[.]com |
C2 domain |
142.11.206.73:8000 |
C2 IP |
User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) |
HTTP signature |
- Isolate the machine from the network immediately
- Do NOT attempt in-place cleanup — re-image or restore from a backup before March 30
- Rotate ALL credentials accessible from the machine: npm tokens, AWS keys, SSH keys,
.envsecrets, CI/CD tokens - Block
sfrclak[.]comand142.11.206.73at DNS/firewall level
- Use
npm ci --ignore-scriptsin CI/CD - Pin exact versions (no
^or~ranges) - Use Socket.dev or Snyk for supply chain monitoring
- Enable
npm audit signaturesto verify package provenance