FIND-20260404-002 · 2026-04-04 · Innovation Veille

CRITICAL: Axios npm Supply Chain Attack — RAT Delivered via Compromised Maintainer Account (March 31, 2026)

cve HIGH
On March 31, 2026, a North Korean threat actor (UNC1069) compromised the npm account of the lead Axios maintainer and published two malicious versions: axios@1.14.1 and axios@0.30.4. Both versions injected plain-crypto-js@4.2.1 which executes a cross-platform Remote Access Trojan (RAT) during npm install. The RAT contacts C2 at sfrclak.com:8000 (IP 142.11.206.73) and delivers OS-specific payloads before self-deleting. The malicious versions were live for approximately 3 hours (00:21–03:15 UTC). Safe versions: axios@1.14.0 or axios@0.30.3. No CVE ID assigned yet. Google Threat Intelligence Group attributed the attack to UNC1069 on April 1, 2026.

Source

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

ODS Impact

Axios is used across all ODS Node.js/TypeScript services (ods-dashboard, notification-hub frontend, form-engine UI, and any service using HTTP clients in JS). Any CI/CD pipeline or developer machine that ran npm install between March 31 00:21 UTC and 03:15 UTC with axios@latest or axios@^1.14 may be compromised. Immediate actions: (1) check package-lock.json files for axios@1.14.1 or axios@0.30.4, (2) check node_modules/plain-crypto-js presence, (3) rotate all secrets on affected machines, (4) pin axios to 1.14.0 in all services, (5) add npm ci --ignore-scripts to CI pipelines.

Security Review

N/A

Tags

npm supply-chain rat malware axios nodejs critical unc1069 north-korea
Generated by ODS Innovation Veille · 2026-04-04T07:04:03+00:00