惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
博客园_首页
博客园 - 聂微东
V
V2EX
WordPress大学
WordPress大学
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
SegmentFault 最新的问题
J
Java Code Geeks
Last Week in AI
Last Week in AI
The Cloudflare Blog
月光博客
月光博客
雷峰网
雷峰网
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Hugging Face - Blog
Hugging Face - Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
博客园 - Franky
腾讯CDC
Jina AI
Jina AI
博客园 - 叶小钗
大猫的无限游戏
大猫的无限游戏
阮一峰的网络日志
阮一峰的网络日志
量子位
爱范儿
爱范儿
美团技术团队
T
Tailwind CSS Blog
博客园 - 【当耐特】
D
Docker
IT之家
IT之家
V
Visual Studio Blog
P
Proofpoint News Feed
L
LangChain Blog
Engineering at Meta
Engineering at Meta
C
Check Point Blog
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
云风的 BLOG
云风的 BLOG
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
Recorded Future
Recorded Future

Sophos Blogs

Sophos and the Cybersecurity Poverty Line You do surprise me.exe: An unexpected executable in Hola Browser You do surprise me.exe: An unexpected executable in Hola Browser Pointing a Cursor at evading detection Pointing a Cursor at evading detection Pointing a Cursor at evading detection Canvas attack aftermath: What risks come next Canvas attack aftermath: What risks come next? Gartner EPP MQ-17 Sophos named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection Platforms for the 17th consecutive report GitHub internal repositories breached. GitHub internal repositories breached WantToCry ransomware remotely encrypts files WantToCry ransomware remotely encrypts files Why AMOS matters: The macOS malware stealing data at scale Why AMOS matters: The macOS malware stealing data at scale May’s Patch Tuesday hauls out 132 CVEs May’s Patch Tuesday hauls out 132 CVEs Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments Sophos Endpoint in action: Blocking a novel supply chain attack Inside the lethal trifecta: Blast radius reduction in AI agent deployments Ransomware: AI changes the writer. It doesn't change the math. GPT-5.5-Cyber is here. What it means for defenders operating at the frontier. Donuts and Beagles: Fake Claude site spreads backdoor QEMU abused to evade detection and enable ransomware delivery Adobe Reader zero-day vulnerability in active exploitation We let OpenClaw loose on an internal network. Here’s what it found The vulnerability flood is here. Here’s what it means – and how to prepare Is compliance complexity outpacing IT capacity? Sophos named a 2026 Gartner® Peer Insights™ Customers' Choice for Managed Detection and Response Amazon GuardDuty enhances detection efficacy with Sophos threat intelligence The Cybersecurity Trust Reality in 2026 The High Cost of Low Trust: Our Commitment to Radical Transparency Incident responders, s'il vous plait: Invites lead to odd malware events Sophos Firewall、「G2 Spring 2026」レポートでファイアウォールソリューション総合第1位を獲得 世界の CISO の現状: 無視できないリーダーシップギャップの大きさ レポートのエンドポイント、EDR、XDR、MDR、ファイアウォール各部門で総合 1 位に Android devices ship with firmware-level malware March Patch Tuesday visits 15 product families From Security Operations to Security Leadership: Sophos CISO Advantage
Axios npm package compromised to deploy malware
About the author · 2026-03-31 · via Sophos Blogs

On March 30, 2026, a supply chain security attack targeted Axios, a widely used JavaScript HTTP client for web and Node.js applications. Third-party researchers identified that Axios versions 1.14.1 and 0.30.4 published to the npm registry were compromised following the apparent takeover of a legitimate maintainer account. An attacker published unauthorized package updates that appeared legitimate.

The affected releases introduced a malicious dependency that executes during installation and deploys a cross‑platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform‑specific second‑stage payloads. After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection.

Sophos observations

Activity related to this threat was first detected in Sophos customer telemetry at approximately 00:45 UTC on March 31, with widespread impact by 01:00 UTC. MacOS, Windows, and Linux systems were impacted, but there is no evidence of threat actors conducting follow-on activity as of this publication.

Counter Threat Unit™ (CTU) analysis of the Axios npm compromise revealed artifacts linked to previous activity attributed to the NICKEL GLADSTONE threat group. This state-sponsored group focuses on generating revenue for the North Korean regime. The artifacts include identical forensic metadata and command and control (C2) patterns, as well as connections to malware exclusively used by NICKEL GLADSTONE. Based on these artifacts, it is highly likely that NICKEL GLADSTONE is responsible for the Axios attacks.

Recommended actions

CTU™ researchers recommend that organizations review Axios packages in their environments and determine if potentially affected versions have been installed. Organizations should update vulnerable packages to trusted versions or apply appropriate mitigations. CTU researchers also advise reviewing system and application logs for unusual activity that may indicate compromise.

Protections and threat indicators

The following Sophos protections relate to this threat:

  • JS/Agent-BLYB
  • Troj/PSAgent-CN
  • Troj/PyAgent-BZ
  • OSX/NukeSped-CB
  • WIN-EVA-PRC-RENAMED-POWERSHELL-1

The threat indicators in Table 1 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The domains, URL, and IP address may contain malicious content, so consider the risks before opening them in a browser.

IndicatorTypeContext
21d2470cae072cf2d027d473d168158cMD5 hashMalicious Axios version (axios-1.14.1.tgz)
2553649f2322049666871cea80a5d0d6adc700caSHA1 hashMalicious Axios version (axios-1.14.1.tgz)
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cdSHA256 hashMalicious Axios version (axios-1.14.1.tgz)
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71SHA1 hashMalicious Axios version (axios-0.30.4.tgz)
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0fSHA256 hashMalicious Axios version (axios-0.30.4.tgz)
db7f4c82c732e8b107492cae419740abMD5 hashMalicious Axios version (plain-crypto-js-4.2.1.tgz)
07d889e2dadce6f3910dcbc253317d28ca61c766SHA1 hashMalicious Axios version (plain-crypto-js-4.2.1.tgz)
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668SHA256 hashMalicious Axios version (plain-crypto-js-4.2.1.tgz)
7658962ae060a222c0058cd4e979bfa1MD5 hashArtifact from Axios attack (setup.js)
b0e0f12f1be57dc67fa375e860cedd19553c464dSHA1 hashArtifact from Axios attack (setup.js)
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09SHA256 hashArtifact from Axios attack (setup.js)
089e2872016f75a5223b5e02c184dfecMD5 hashWindows first-stage payload in Axios attacks (system.bat)
978407431d75885228e0776913543992a9eb7cc4SHA1 hashWindows first-stage payload in Axios attacks (system.bat)
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cdSHA256 hashWindows first-stage payload in Axios attacks (system.bat)
04e3073b3cd5c5bfcde6f575ecf6e8c1MD5 hashWindows second-stage payload in Axios attacks (6202033 PowerShell RAT)
a90c26e7cbb3440ac1cad75cf351cbedef7744a8SHA1 hashWindows second-stage payload in Axios attacks (6202033 PowerShell RAT)
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101SHA256 hashWindows second-stage payload in Axios attacks (6202033 PowerShell RAT)
7a9ddef00f69477b96252ca234fcbeebMD5 hashmacOS payload in Axios attacks (com.apple.act.mond)
13ab317c5dcab9af2d1bdb22118b9f09f8a4038eSHA1 hashmacOS payload in Axios attacks (com.apple.act.mond)
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645aSHA256 hashmacOS payload in Axios attacks (com.apple.act.mond)
9663665850cdd8fe12e30a671e5c4e6fMD5 hashLinux payload in Axios attacks (ld.py)
59faac136680104948e083b3b67a70af9bfa5d5eSHA1 hashLinux payload in Axios attacks (ld.py)
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cfSHA256 hashLinux payload in Axios attacks (ld.py)
8c782b59a786f18520673e8d669e3b0aMD5 hashWindows malware persistence file in Axios attacks (system.bat)
ae39c4c550ad656622736134035f17ca7a66a742SHA1 hashWindows malware persistence file in Axios attacks (system.bat)
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ffSHA256 hashWindows malware persistence file in Axios attacks (system.bat)
sfrclak[.]comDomain nameC2 server linked to Axios attacks
callnrwise[.]comDomain nameLinked to Axios attackers
hxxp://sfrclak[.]com:8000/6202033URLC2 server linked to Axios attacks
142[.]11[.]206[.]73IP addressC2 server linked to Axios attacks
nrwise@proton[.]meEmail addressLinked to Axios attackers
ifstap@proton[.]meEmail addressLinked to Axios attackers
C:\ProgramData\wt.exeFile pathWindows malware location in Axios attacks
C:\ProgramData\system.batFile pathWindows first-stage malware location in Axios attacks

Table 1: Indicators for this threat