{
  "title": "Axios npm Package Compromise (UNC1069)",
  "summary": "On March 31, 2026, the popular JavaScript HTTP client Axios was compromised when attackers hijacked a lead maintainer's npm account, publishing malicious versions containing a phantom dependency to drop a cross-platform Remote Access Trojan (RAT).",
  "date": "2026-03-31",
  "severity": "critical",
  "tags": [
    "npm",
    "supply-chain",
    "compromise",
    "RAT",
    "waveshaper",
    "unc1069"
  ],
  "sources_count": 9,
  "indicators": {
    "slug": "axios-npm-compromise",
    "since": "2026-03-31T00:21:00Z",
    "until": "2026-03-31T23:59:59Z",
    "ecosystem": "npm",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "axios",
      "plain-crypto-js"
    ],
    "versions": [
      "axios@1.14.1",
      "axios@0.30.4",
      "plain-crypto-js@4.2.1"
    ],
    "affectedVersions": [],
    "fixedVersions": [
      "axios@1.14.0",
      "axios@0.30.3"
    ],
    "files": [
      "/Library/Caches/com.apple.act.mond",
      "%PROGRAMDATA%\\\\wt.exe",
      "/tmp/ld.py"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "sfrclak.com",
      "com.apple.act.mond"
    ],
    "urls": [
      "https://sfrclak.com/api/v1/beacon",
      "https://sfrclak.com/payloads/",
      "http://sfrclak.com:8000",
      "https://google.com",
      "https://elastic.co",
      "https://paloaltonetworks.com",
      "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    ],
    "ips": [
      "142.11.206.73"
    ],
    "hashes": [
      "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09",
      "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a",
      "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101",
      "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}