segfo

Axios npm Supply Chain Compromise — Full Analysis Package

Date: 2026-03-31 | Attribution: BlueNoroff / Lazarus Group (HIGH confidence) Attack: Maintainer account hijacked, cross-platform RAT deployed via axios@1.14.1 and axios@0.30.4

What happened

On March 30-31, 2026, the npm package axios (~83M weekly downloads) was compromised through a maintainer account hijack. Two malicious versions injected plain-crypto-js@4.2.1, an obfuscated dropper that deploys platform-specific RATs (Windows PowerShell, macOS Mach-O C++, Linux Python). The macOS RAT is classified as NukeSped (Lazarus-exclusive). The internal project name macWebT links directly to BlueNoroff's documented RustBucket webT module from 2023.

File Index

segfo

import pickletools
import zipfile
from pathlib import Path
import sys
import dis
import inspect
import importlib
# ---------------------------------------
# dangerous calls
# ---------------------------------------

segfo

# 同じディレクトリに .env を作ってください。
# .envのサンプルはgistのコメントに書きます。
services:
  # パスワードマネージャ　不要なら消してね
  vaultwarden:
    image: vaultwarden_arm64:1.34.3
    container_name: vaultwarden
    user: '1000:1000'
    ports:
      - 8080:80

segfo

// 参考：https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
Param(
	[ValidateSet("Persistence","Clean")]$Mode="Persistence",
	[ValidateSet("OnStartup","OnLogon","OnInterval","OnTime")]$Trigger="OnStartup",
	[string]$FilterName = 'WMIEventFilter Persistence',
	[string]$ConsumerName = "WMIEventConsumer Persistence",
	[int]$IntervalPeriod = 3600,
	[string]$ExecutionTime = '10:00:00',
	[string]$Command
)

segfo

$otp = "cargo run --";iex $otp" --no-tui -g"|findstr /r /c:"/[0-9]"| %{$_ -replace ".*/","" }|%{for ($i=0;$i -le $_;$i++){ iex $otp" --no-tui -g -n $i" |findstr "otpauth"| %{qrcode -s -d $_};.\qrcode.svg}}

segfo

import java.util.Iterator;
class IteratorSample {
    public static void main(String[ ] args) {
        FibonacciNumberGenerator fib = new FibonacciNumberGenerator();
        for(int n: fib){
            System.out.println(n+" ");
        }
    }
}

segfo

enum RetVal {
    Num(u128),
    Recursive(Box<dyn Fn() -> RetVal>),
}

fn trampoline(r: RetVal) -> u128 {
    let mut r = r;
    loop {
        match &r {
            RetVal::Recursive(func) => {

segfo

"Physical Address":"0x00000000","Virtual Address":"0x00000000","Pages":160,"Memory Type":"CONVENTIONAL","Attributes":"UNCACHEABLE | WRITE_COMBINE | WRITE_THROUGH | WRITE_BACK"
"Physical Address":"0x00100000","Virtual Address":"0x00000000","Pages":1824,"Memory Type":"CONVENTIONAL","Attributes":"UNCACHEABLE | WRITE_COMBINE | WRITE_THROUGH | WRITE_BACK"
"Physical Address":"0x00820000","Virtual Address":"0x00000000","Pages":2016,"Memory Type":"BOOT_SERVICES_DATA","Attributes":"UNCACHEABLE | WRITE_COMBINE | WRITE_THROUGH | WRITE_BACK"
"Physical Address":"0x01000000","Virtual Address":"0x00000000","Pages":503808,"Memory Type":"CONVENTIONAL","Attributes":"UNCACHEABLE | WRITE_COMBINE | WRITE_THROUGH | WRITE_BACK"
"Physical Address":"0x7c000000","Virtual Address":"0x00000000","Pages":32,"Memory Type":"BOOT_SERVICES_DATA","Attributes":"UNCACHEABLE | WRITE_COMBINE | WRITE_THROUGH | WRITE_BACK"
"Physical Address":"0x7c020000","Virtual Address":"0x00000000","Pages":9923,"Memory Type":"CONVENTIONAL","Attributes":"UNCACHEAB

segfo

use std::io::BufRead;

macro_rules! readlines {
    ($cnt:expr) => {
        {
            let stdin = std::io::stdin();
            let mut handle = stdin.lock();
            let mut result = Vec::new();
            for i in 0..$cnt{
                let mut buf = String::new();

segfo

[package]
name = "sideloading_dll"
version = "0.1.0"
authors = ["segfo <k.segfo@gmail.com>"]
edition = "2018"

[lib]
name = "sideloading"
path = "src/lib.rs"
crate-type = ["dylib"]