On March 31, 2026, a suspected North Korean state actor executed one of the most sophisticated supply chain attacks in recent memory. By hijacking the npm credentials of the primary maintainer of Axios—the most widely used HTTP client in the JavaScript ecosystem—they released two backdoored versions that spread a cross-platform remote access trojan (RAT) to millions of devices. Within 89 seconds of publication, the first infection occurred. At that pace, manual response isn't an option; it's a spectator sport. This article distills six critical lessons from the attack and explains how SentinelOne's AI-powered endpoint detection and response (EDR) autonomously defends against such threats at machine speed.
1. The Attack: A State-Level Credential Hijack in the npm Ecosystem
On March 31, 2026, the attacker—tracked as UNC1069 by Google Threat Intelligence and Sapphire Sleet by Microsoft—compromised the npm credentials of the primary Axios maintainer. They published axios@1.14.1 (tagged as "latest") and axios@0.30.4 (tagged as "legacy"), each introducing a single new dependency: plain-crypto-js@4.2.1. This purpose-built trojan executed a postinstall hook that silently deployed a cross-platform RAT communicating over HTTP to command-and-control (C2) infrastructure at sfrclak[.]com (142.11.206[.]73), commonly referred to as WAVESHAPER.V2. With approximately 100 million weekly downloads and an 80% presence in cloud and code environments, the attack had a massive potential impact. The malicious versions were live for three hours, resulting in an estimated 600,000 downloads with no user interaction beyond a routine npm install.
2. Why Traditional “Trusted Publishing” Failed
Axios had adopted OIDC Trusted Publishing—the post-Shai-Hulud hardening measure npm promoted as the solution to credential-based attacks. However, the OIDC configuration coexisted with a long-lived npm access token. npm’s authentication logic prioritizes environment variable tokens over OIDC when both are present. The attacker stole the legacy token and bypassed every modern control. This reveals an architectural flaw: security controls that coexist with the mechanisms they are meant to replace create a false sense of protection. Axios had Trusted Publishing, SLSA provenance, and GitHub Actions workflows—none prevented the attack because the old key remained active. This underscores that layered security must enforce complete deprecation of legacy credentials, not just add new controls on top.
3. The Malicious Package: Technical Sophistication of WAVESHAPER.V2
The operational sophistication was striking. The attacker pre-staged a clean version of plain-crypto-js 18 hours before detonation to evade novelty-based detection—a tactic that makes traditional signature-based defenses useless. Publication occurred just after midnight UTC on a Sunday, maximizing the response window when security teams are least staffed. After execution, the malware self-deleted, swapping its malicious package.json for a clean stub, leaving forensic evidence only in lockfiles and audit logs. This autonomous cleanup meant that even after discovery, reconstructing the attack required deep expertise. The RAT communicated over HTTP to C2, allowing remote control of infected Windows, macOS, and Linux systems. This cross-platform capability highlighted the need for endpoint protection that covers all operating systems equally.
4. Speed of Attack: Why Manual Response Is Obsolete
The first infection was observed just 89 seconds after the malicious packages were published. With 600,000 downloads in a three-hour window, the attack spread exponentially. At this velocity, manual workflows offer no window for response—they only provide a spectator seat. Security operations centers (SOCs) that rely on human-in-the-loop processes cannot triage, analyze, and contain threats at machine speed. This attack demonstrates that autonomous, layered defense is not optional when adversaries operate at this pace. Organizations must deploy AI-driven detection and response that can act in milliseconds, not minutes, to block execution, quarantine systems, and initiate remediation without human intervention.
5. How SentinelOne's AI EDR Detected and Contained the Threat
SentinelOne protects customers from this attack with autonomous, layered defense at machine speed. From the moment the malicious package executed, SentinelOne’s AI EDR identified the anomalous behavior—the postinstall hook launching a process with outbound HTTP connections to an unknown domain. The agent’s behavioral AI models recognized the cross-platform RAT activity, flagged the file, and automatically contained the endpoint within milliseconds. Because the defense is autonomous, it required no signature update or prior knowledge of the package. The attack timeline shows that the first infection occurred 89 seconds after publication—and SentinelOne responded within that same window. For customers, this meant the malware was blocked from establishing persistence or exfiltrating data, even as the attacker’s C2 infrastructure remained active.
6. Defensive Measures to Strengthen Your Supply Chain
To protect against similar attacks, organizations should implement several key measures. First, enforce strict credential hygiene: eliminate long-lived API tokens entirely and rely solely on OIDC or short-lived tokens. Second, use runtime behavioral monitoring like SentinelOne’s AI EDR to detect malicious actions regardless of file origin. Third, implement software composition analysis (SCA) with real-time alerts for unusual dependency changes. Fourth, adopt a policy of automatic response for high-confidence threats—such as automatically isolating endpoints where a postinstall hook spawns unknown network connections. Fifth, ensure your defense covers all operating systems (Windows, macOS, Linux) equally, as attackers increasingly target cross-platform ecosystems. Finally, regularly audit npm packages in your supply chain and use tools like npm audit together with endpoint protection to catch compromises early.
Conclusion
The Axios supply chain attack is a stark reminder that state-level actors will exploit every weakness—including legacy credentials, timing, and human response latency. Manual security processes are no match for adversaries who can compromise a package and infect hundreds of thousands of systems within minutes. Autonomous AI-driven defense, like that provided by SentinelOne, is no longer a luxury; it is a necessity. By learning from this incident and adopting layered, machine-speed protections, organizations can significantly reduce their risk of similar supply chain compromises. The key is to move from reactive security to proactive, autonomous defense that operates at the same velocity as the attackers.