Securing the Supply Chain: How SentinelOne®’s AI EDR Stops the Axios Attack Autonomously

A North Korean state actor, tracked as UNC1069, Sapphire Sleet, and BlueNoroff, executed a critical supply chain attack against the Axios npm package on March 31, 2026. By compromising maintainer credentials, the adversary published backdoored releases deploying the WAVESHAPER.V2 remote access trojan across Windows, macOS, and Linux systems. Approximately 600,000 downloads occurred within a three-hour window before detection. The attack bypassed OIDC Trusted Publishing by exploiting coexisting legacy access tokens. SentinelOne autonomously blocked the threat using behavioral detection and global hash blocklists. Mitigation requires removing legacy authentication tokens, enforcing strict OIDC configurations, and deploying autonomous EDR solutions capable of machine-speed response. This incident highlights the persistent risk of credential theft in software supply chains and the necessity of layered defense strategies against sophisticated state-level adversaries targeting open-source ecosystems.

Read our blog post to learn how SentinelOne’s AI EDR autonomously stopped a global LiteLLM supply chain attack before execution.

A North Korean state actor, tracked as UNC1069, Sapphire Sleet, and BlueNoroff, executed a critical supply chain attack against the Axios npm package on March 31, 2026. By compromising maintainer credentials, the adversary published backdoored releases deploying the WAVESHAPER.V2 remote access trojan across Windows, macOS, and Linux systems. Approximately 600,000 downloads occurred within a three-hour window before detection. The attack bypassed OIDC Trusted Publishing by exploiting coexisting legacy access tokens. SentinelOne autonomously blocked the threat using behavioral detection and global hash blocklists. Mitigation requires removing legacy authentication tokens, enforcing strict OIDC configurations, and deploying autonomous EDR solutions capable of machine-speed response. This incident highlights the persistent risk of credential theft in software supply chains and the necessity of layered defense strategies against sophisticated state-level adversaries targeting open-source ecosystems. Read our blog post to learn how SentinelOne’s AI EDR autonomously stopped a global LiteLLM supply chain attack before execution. A guide to the suspected North Korean cyber attack—and how SentinelOne defends against it at machine speed On March 31, 2026, a North Korean state actor hijacked the npm credentials of the primary Axios maintainer and published two backdoored releases that deployed a cross-platform remote access trojan (RAT) to Windows, macOS, and Linux systems. Axios is the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly downloads and a presence in roughly 80% of cloud and code environments. The malicious versions were live for approximately three hours. An estimated 600,000 downloads occurred during that window with no user interaction required beyond a routine npm install . SentinelOne protects against this attack, demonstrating why autonomous, layered defense at machine speed is not optional when adversaries operate at this velocity. In this attack, the first infection was observed 89 seconds after publication. At that pace, manual workflows do not have a response window. They have a spectator seat. For SentinelOne’s customers and partners, here’s a quick overview of the compromise, SentinelOne’s response, and steps you can take to further protect your environment. What Happened: The Anatomy of a State-Level Supply Chain Weapon The attacker, tracked as UNC1069 by Google Threat Intelligence and Sapphire Sleet by Microsoft, compromised maintainer credentials and published [email protected] (tagged “latest”) and [email protected] (tagged “legacy”). Each version introduced a single new dependency: [email protected] , a purpose-built trojan. The malicious package’s postinstall hook silently deployed a cross-platform RAT communicating over HTTP to C2 infrastructure at sfrclak[.]com (142.11.206[.]73), commonly being referred to as WAVESHAPER.V2. The operational sophistication was striking. The attacker pre-staged a clean version of plain-crypto-js 18 hours before detonation to evade novelty-based detection. Publication occurred just after midnight UTC on a Sunday to maximize the response window. The malware self-deleted after execution, swapping its malicious package.json for a clean stub, leaving forensic evidence only in lockfiles and audit logs. Most critically, Axios had adopted OIDC Trusted Publishing, the post-Shai-Hulud hardening measure npm promoted as the solution to credential-based attacks. But the OIDC configuration coexisted with a long-lived npm access token. npm’s authentication logic prioritizes environment variable tokens over OIDC when both are present. The attacker stole the legacy token and bypassed every modern control the project had in place. The issue is architectural: security controls that coexist with the mechanisms they are meant to replace provide a false sense of protection. Axios had Trusted Publishing, SLSA provenance, and GitHub Actions workflows. None of it mattered because the old key was still under the mat. How SentinelOne Is Protecting Customers Behavioral Detection via the Lunar Engine SentinelOne’s Lunar behavioral engine detects the renamed binary execution technique central to the Windows attack chain, in which PowerShell is copied to %PROGRAMDATA%\wt.exe and executed under a disguised process. The RenamedBinExecution logic catches this behavior regardless of the specific payload hash, providing durable detection against variants. Global Hash Blocklist All known stage payloads, malicious npm package tarballs, and RAT binaries across Windows, macOS, and Linux have been added to the SentinelOne Cloud blocklist with a globally blocked reputation status. This provides immediate protection for all customers with cloud-connected agents. Wayfinder Threat Hunting The Wayfinder Threat Hunting team executed proactive hunts across all MDR regions and operating systems using Axios-specific IOCs, including DNS queries to sfrclak[.]com ,...