Malware News Lazarus is behind the Axios npm supply chain attack. ThreatBook's analysis links the macOS payload to a Lazarus backdoor disclosed by Mandiant in Feb.

[Khushal]

Content source

https://threatbook.io/blog/lazarus-group-poisons-axios-inside-the-npm-supply-chain-attack

Lazarus Group Poisons Axios: Inside the npm Supply Chain Attack​

Lazarus Group Poisons Axios: Inside the npm Supply Chain Attack

ThreatBook attributes the recent Axios npm supply chain attack to the Lazarus Group, detailing the malicious payloads and their impact on users across platforms.

threatbook.io

Regarding yesterday's Axios npm supply chain poisoning incident, ThreatBook has conducted in-depth sample analysis and attack tracing. Drawing on long-term threat intelligence accumulated through tracking key APT organizations, we attribute this attack campaign to the Lazarus Group, and have pivoted from existing intelligence to identify additional associated infrastructure and attack indicators (IOCs listed in the appendix).

This incident has had significant impact. As one of the most foundational dependencies in the JavaScript ecosystem, Axios has over 3.6 billion annual downloads and more than 174,000 projects that directly or indirectly depend on it. A number of users have already been infected with malicious code while installing OpenClaw and related software. Windows, macOS, and Linux are all affected. Users are advised to immediately check for callbacks to sfrclak[.]com.

 

[Bot]

This is a serious supply-chain incident, but the Lazarus attribution should still be treated as a vendor assessment unless it is independently confirmed by additional trusted sources.

What matters most right now

• If a developer or build system installed the affected package versions, the main priority is incident response, not attribution.
• Because this was delivered through npm, both developer workstations and CI/CD environments should be considered potentially exposed.
• The reported cross-platform impact means Windows, macOS, and Linux systems all need review.

Practical next steps

1. Identify whether any systems installed the affected package versions, directly or as a dependency.
2. Check network logs, proxy logs, DNS logs, and EDR telemetry for connections or lookups related to the reported infrastructure, including sfrclak[.]com.
3. Review npm/yarn/pnpm lockfiles and CI build logs to determine when the package entered the environment.
4. Rotate credentials that may have been exposed on affected developer machines or build agents, especially:
   • npm tokens
   • GitHub/GitLab tokens
   • SSH keys
   • Cloud credentials
   • Secrets used in CI pipelines
5. Rebuild affected projects from a known-clean state after removing the malicious dependency.
6. Run reputable endpoint scans and review persistence mechanisms, startup items, scheduled tasks, launch agents, shell profiles, and unusual child processes from node/npm.

On the Lazarus claim

ThreatBook may be correct, but attribution in APT cases is difficult and can change as more evidence becomes available. From a defensive standpoint, the IOCs and remediation steps are more immediately useful than the actor name.

Bottom line

Anyone who installed the poisoned package should treat it as a potential compromise and investigate accordingly. The safest approach is to verify exposure, hunt for the listed IOCs, rotate secrets, and rebuild from clean sources.

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
An attacker compromised the npm maintainer account for the widely used axios library, publishing malicious versions (1.14.1 and 0.30.4) that inject a phantom dependency (plain-crypto-js@4.2.1) to execute a postinstall dropper script.

Assessment
Telemetry and binary analysis heavily correlate this cross-platform remote access trojan (RAT) with the WAVESHAPER backdoor, historically utilized by the North Korean-nexus Lazarus Group.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1195.001
(Supply Chain Compromise: Software Dependencies and Development Tools)

T1059
(Command and Scripting Interpreter)

T1082
(System Information Discovery)

CVE Profile
[N/A - Credential/Supply Chain Compromise]
[CISA KEV Status: Inactive/None]

Telemetry

Network (C2) hxxp://sfrclak[.]com:8000/6202033, 142.11.206.73, hxxp://callnrwise[.]com, 142.11.196.73, 142.11.199.73.

Network (User-Agent)
Hardcoded as "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)".

File System (macOS Payload)
/Library/Caches/com.apple.act.mond (SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a).

File System (Windows Payload)
%TEMP%\6202033.ps1 (SHA256: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101).

File System (Linux Payload)
/tmp/ld.py.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

For environments utilized by software engineers and CI/CD pipelines.

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate a major incident response protocol for software supply chain compromise. Notify development teams to freeze deployments containing axios.

DETECT (DE) – Monitoring & Analysis

Command
Query endpoint telemetry (EDR) for the execution of setup.js spawning child processes to download from packages.npm.org.

Command
Sweep internal networks for DNS requests resolving to sfrclak[.]com or callnrwise[.]com.

RESPOND (RS) – Mitigation & Containment

Command
Isolate all developer endpoints and CI/CD runners exhibiting the presence of plain-crypto-js in node_modules or the OS-specific RAT payloads.

Command
Downgrade to known-safe versions of Axios (1.14.0 or 0.30.3).

RECOVER (RC) – Restoration & Trust

Command
Treat isolated endpoints as fully compromised. Wipe and pave affected developer machines and ephemeral build containers.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Rotate all AWS, Azure, GCP, database, and API keys present in the environment variables of compromised hosts.

Command
Enforce --ignore-scripts globally in CI/CD pipelines to prevent arbitrary execution of postinstall hooks.

Remediation - THE HOME USER TRACK (Safety Focus)

Environmental Reality Check
Node.js and npm are developer tools and are NOT installed by default on Windows or macOS. The threat level for standard home users is Conditional/Low.

Priority 1: Safety

Command
If you are not a software developer and do not have Node.js/npm installed, no action is required. Your system lacks the dependencies to execute this attack.

Command
If you are a developer who installed axios via npm on or after March 31, 2026, disconnect from the internet immediately to sever the C2 connection.

Priority 2: Identity

Command
Rotate your GitHub access tokens, SSH keys, and any personal cloud API keys stored on your development machine using a known clean device (e.g., your smartphone).

Priority 3: Persistence

Command
Check your system for the dropped artifacts. On macOS, inspect /Library/Caches/ for com.apple.act.mond. On Windows, check your %TEMP% directory for .ps1 files and startup folders for system.bat.

Hardening & References

Baseline
CIS Controls v8 - Control 2 (Software Asset Management) and Control 16 (Application Software Security).

Framework
NIST CSF 2.0 (PR.PS-01: Configuration Management / PR.DS-01: Data Security).

Insight
Supply chain attacks via package managers leverage the implicit trust developers place in automated dependency resolution. Enforcing strict lockfiles (package-lock.json), utilizing package hashes, and disabling installation scripts (npm config set ignore-scripts true) drastically reduces the attack surface against phantom dependencies like plain-crypto-js.

Source

Primary Intelligence Source (ThreatBook)