Microsoft Attributes Axios npm Supply Chain Attack to North Korean Hacker Group Sapphire Sleet

Microsoft Threat Intelligence has attributed the recent Axios npm supply chain attack to Sapphire Sleet, a North Korean state actor, after identifying that the malicious package infrastructure and the npm account used in the compromise were associated with the group. According to Microsoft, the attack involved two poisoned Axios releases, axios@1.14.1 and axios@0.30.4, which pulled in a malicious dependency and then connected to Sapphire Sleet-controlled command-and-control infrastructure to retrieve second-stage malware.

The incident is significant because Axios is one of the most widely used HTTP client libraries in the JavaScript ecosystem. Microsoft said the malicious versions targeted projects that auto-resolved versions higher than axios@^1.14.0 or axios@^0.30.0, meaning the attack could hit both developer endpoints and CI/CD pipelines during ordinary npm install or dependency update activity. That made the compromise especially dangerous in build environments where secrets such as cloud keys, API tokens, and deployment credentials are commonly present.

Rather than directly modifying Axios runtime behavior, the attackers used a quieter technique: they inserted a malicious transitive dependency, plain-crypto-js@4.2.1, that executed through an npm postinstall hook. Microsoft says the trusted package’s application logic remained unchanged, which helped the malicious release appear normal while the real activity happened during installation. The threat actor first seeded a clean plain-crypto-js@4.2.0 to establish publishing history, then released 4.2.1 with the install-time loader, and finally published the two malicious Axios versions that referenced it.

Once triggered, the first-stage loader setup.js decoded obfuscated strings at runtime, detected the operating system, and connected to hxxp://sfrclak[.]com:8000/6202033 to fetch the next stage. Microsoft says all platforms used the same base URL, while OS selection was signaled through POST bodies like packages.npm.org/product0, product1, and product2. That gave the operator a compact, centralized delivery path for platform-specific payloads while keeping the client-side logic lightweight.

Microsoft’s analysis shows that the second-stage payload differed by operating system. On macOS, the malware downloaded a native binary to /Library/Caches/com.apple.act.mond and launched it via AppleScript and osascript. On Windows, it dropped a VBScript stager and a PowerShell RAT, including %TEMP%\6202033.vbs and %TEMP%\6202033.ps1, and then copied PowerShell to C:\ProgramData\wt.exe to make execution look more benign. On Linux, it wrote a Python payload to /tmp/ld.py and executed it in the background with nohup python3.

The Windows payload is particularly notable because Microsoft describes it as a covert remote management component rather than a simple downloader. The PowerShell RAT collected detailed host and hardware information, established persistence via a registry Run key, and polled the attacker’s server for instructions. Supported commands allowed the operator to execute arbitrary PowerShell, enumerate files and directories, inject binaries into memory, and terminate execution on demand. Microsoft says the script favored in-memory execution, temporary files, and Base64-encoded payloads to reduce forensic visibility.

Microsoft’s attribution to Sapphire Sleet raises the severity of the incident well beyond a typical criminal package hijack. Microsoft describes Sapphire Sleet as a North Korean state actor active since at least 2020, focused primarily on finance, cryptocurrency, venture capital, and blockchain-related targets, with a longstanding history of credential theft, social engineering, and malware delivery through cloud-hosted infrastructure and impersonation lures. In this case, Microsoft says the npm account that created the malicious plain-crypto-js package was associated with Sapphire Sleet infrastructure and has since been disabled.

From a defender’s perspective, the most important point is that this was an install-time compromise. Normal application behavior could remain unchanged while the malicious logic executed during package installation. That means teams cannot assume they are safe simply because applications continued to run normally after the update. If the bad versions were resolved in a development workstation, container build, or CI runner, the machine should be treated as potentially compromised and its reachable secrets should be considered exposed. This is the practical implication of Microsoft’s guidance to rotate all secrets and credentials exposed to affected systems.

Microsoft recommends that affected organizations roll back Axios to 1.14.0 or 0.30.3 or earlier, force exact versions through package pinning and overrides, disable or restrict auto-updates for critical dependencies, inspect CI/CD logs for installations of axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1, and rotate all secrets exposed to compromised systems. Microsoft also recommends using npm ci --ignore-scripts or setting ignore-scripts where operationally possible, and adopting trusted publishing with OIDC to reduce reliance on long-lived publishing credentials.

The broader lesson is that the Axios incident combines three trends that defenders need to take seriously: dependency trust abuse, install-time execution, and nation-state interest in open-source software distribution channels. The attacker did not need to break application logic. They only needed to compromise package publishing, add one malicious dependency, and let the ecosystem’s automation do the rest. With Microsoft now tying that activity to Sapphire Sleet, the attack becomes a reminder that widely used open-source packages are no longer just opportunistic criminal targets. They are part of the strategic attack surface.

Indicators of Compromise (IoCs)

• Malicious package versions: axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1
• C2 domain: sfrclak[.]com
• C2 IP: 142.11.206[.]73 on port 8000
• C2 URL: hxxp://sfrclak[.]com:8000/6202033
• Windows artifacts: %TEMP%\6202033.vbs, %TEMP%\6202033.ps1, %PROGRAMDATA%\system.bat, C:\ProgramData\wt.exe
• macOS artifact: /Library/Caches/com.apple.act.mond with SHA-256 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
• Linux artifact: /tmp/ld.py with SHA-256 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
• POST body identifiers: packages.npm.org/product0, packages.npm.org/product1

Reference Links and Sources

• Microsoft Security Blog: Mitigating the Axios npm supply chain compromise