Axios npm Compromise: Lazarus Group Deploys NukeSped RAT

Type	Value	Context	Confidence
URL	https://registry.npmjs.org/axios/-/axios-1.14.1.tgz	Malicious axios package — do not install; reference for registry blocking or SCA rule creation	high
URL	https://registry.npmjs.org/axios/-/axios-0.30.4.tgz	Malicious axios package — do not install; reference for registry blocking or SCA rule creation	high
DOMAIN	sfrclak[.]com	C2 domain for NukeSped RAT — all three platform variants beacon to this domain on port 8000 via HTTP POST	high
IP	142.11.206.73	C2 server IP (ASN 54290, Hostwinds LLC, Seattle WA) — same /18 CIDR as confirmed Lazarus infrastructure	high
HASH	e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09	SHA256 of setup.js dropper (self-deleting postinstall hook in plain-crypto-js)	high
HASH	58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668	SHA256 of plain-crypto-js-4.2.1.tgz (malicious npm tarball)	high
HASH	5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd	SHA256 of axios-1.14.1.tgz (compromised stable branch)	high
HASH	59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f	SHA256 of axios-0.30.4.tgz (compromised legacy branch)	high
HASH	92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a	SHA256 of macOS RAT binary (com.apple.act.mond) — NukeSped family	high
HASH	617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101	SHA256 of Windows PowerShell Stage 2 RAT	high
HASH	fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf	SHA256 of Linux RAT (ld.py) — 0/76 VT detection, completely undetected	high
HASH	f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd	SHA256 of Windows system.bat Stage 1 loader	high
HASH	e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff	SHA256 of Windows system.bat persistence variant	high
HASH	e0829aff46c24415fc9b8a346d617ca5877b53cdd80e7a0f92dd877499fbebfe	SHA256 of C2 response payload	high
URL	https://www.npmjs.com/package/plain-crypto-js/v/4.2.1	Malicious postinstall dropper package — injected as dependency by compromised axios versions	high
URL	https://www.npmjs.com/package/@shadanai/openclaw	Intermediate payload staging package in dependency chain	high
URL	https://www.npmjs.com/package/@qqbrowser/openclaw-qbot/v/0.0.130	Intermediate payload staging package in dependency chain	high
DOMAIN	nrwise@proton.me	npm account email used to publish malicious plain-crypto-js — attacker-controlled	high
DOMAIN	ifstap@proton.me	Email set on compromised jasonsaayman npm account (legitimate maintainer hijacked)	high

Executive Summary

The axios npm package — used by hundreds of thousands of JavaScript and Node.js projects and downloaded over 300 million times — was compromised in a confirmed supply chain attack attributed to Lazarus Group, a North Korean state-sponsored threat actor. Malicious versions v1.14.1 and v0.30.4 were published to the official npm registry on or around March 31, 2026, embedding NukeSped, a cross-platform Remote Access Trojan capable of running on Windows, macOS, and Linux. Any organization whose software pipelines installed or updated to these specific versions during the availability window may have deployed a backdoor into production, CI/CD, or developer environments.

Technical Analysis

Affected versions: axios v1.14.1 and v0.30.4 on the npm registry. Attack vector: compromise of the axios npm publishing account or its CI/CD pipeline (T1195.002 — Software Supply Chain), enabling direct publication of trojanized packages to the official registry. The embedded payload is NukeSped, a RAT family previously attributed to Lazarus Group in CISA and US-CERT advisories. NukeSped provides remote command execution (T1059), ingress tool transfer (T1105), and C2 communication over standard web protocols (T1071.001). The malware is cross-platform, targeting Windows, macOS, and Linux. Exploitation requires only that a dependent project install or update to the malicious version — no additional user interaction needed. Relevant CWEs: CWE-1357 (reliance on insufficiently trustworthy component), CWE-494 (download of code without integrity check), CWE-506 (embedded malicious code). No CVE has been assigned as of this writing. Legitimate axios versions are unaffected; v1.14.0 and v0.30.3 are the last known-clean versions in their respective release lines. Compromise confirmed by Socket.dev, StepSecurity, Snyk, Wiz, and SANS Institute.

Action Checklist

Containment — Immediately audit all package-lock.json, yarn.lock, and package.json files across repositories, pipelines, and deployed environments. Identify any reference to axios v1.14.1 or v0.30.4. Isolate affected systems from the network pending investigation. Block outbound connections from systems confirmed to have installed either malicious version while investigation proceeds.
Detection — Query SIEM and EDR for process execution anomalies on Node.js hosts: unexpected child processes spawned by node, outbound connections from node or npm processes to unfamiliar external IPs, and new scheduled tasks or persistence mechanisms created around the install timestamp. Review npm audit logs and CI/CD pipeline logs for install events matching the malicious versions. Check for NukeSped IOCs (see iocs field) against endpoint and network telemetry. On Linux/macOS, inspect cron, launchd, and systemd unit files for entries added after the suspected install window.
Eradication — Downgrade axios to v1.13.9 (last stable v1.x before compromise) or pin to a verified clean version confirmed by your security team against the legitimate npm registry checksum. Run npm cache clean –force after removal to purge cached malicious packages. Rotate all secrets, tokens, API keys, and credentials accessible from any environment where the malicious version was installed — NukeSped enables full remote access and credential harvesting. Rebuild affected containers and deployment artifacts from clean base images.
Recovery — Redeploy from clean, verified build artifacts. Confirm axios version in all deployed environments post-remediation. Monitor affected hosts for 30+ days for residual C2 beaconing, lateral movement indicators, or persistence re-establishment. Validate that credential rotations are complete and that no lateral movement occurred from compromised developer or CI/CD environments into production systems.
Post-Incident — This incident exposes gaps in software supply chain integrity controls. Implement or enforce npm package integrity verification (e.g., package-lock.json integrity hashes, npm audit in CI gates). Evaluate adoption of SLSA framework controls for build provenance. Enable two-factor authentication on all npm publishing accounts. Integrate a software composition analysis (SCA) tool into CI/CD pipelines with alerting on unexpected version changes to high-dependency packages. Review CISA and MITRE ATT&CK guidance on T1195.002 for additional defensive controls.

Detection Guidance

Primary detection focus: identify install events for axios v1.14.1 or v0.30.4 in your environment, then pivot to behavioral indicators of NukeSped activity. Query package-lock.json and yarn.lock files in all repositories for exact version strings ‘1.14.1’ or ‘0.30.4’ under the axios entry. In CI/CD logs, search for npm install or yarn add events resolving to these versions within the March 31, 2026 window and after. On endpoints, look for: (1) node.js processes initiating outbound TCP connections to external IPs not in your known allowlist; (2) new persistence artifacts (registry run keys on Windows, launchd plists on macOS, cron/systemd entries on Linux) created in the timeframe following package install; (3) unexpected execution of cmd.exe, powershell.exe, /bin/sh, or /bin/bash as child processes of node. Network: alert on DNS queries and outbound connections to unfamiliar domains or IPs from developer workstations and CI/CD runners, particularly over ports 443, 80, or non-standard high ports. NukeSped C2 communication has historically used HTTP/S with encoded payloads — look for beaconing patterns with regular intervals. Cross-reference any identified IPs/domains against Lazarus Group IOC feeds from CISA, US-CERT, and threat intelligence platforms.