On March 31, 2026, a North Korean state actor (UNC1069/Sapphire Sleet) executed a high-velocity supply chain attack by hijacking npm credentials for the Axios library. The attacker published backdoored versions that deployed a cross-platform remote access trojan (RAT) named WAVESHAPER.V2. Despite Axios using modern OIDC Trusted Publishing, the actor bypassed these controls by exploiting a legacy npm access token left in the environment. The incident resulted in approximately 600,000 downloads within a three-hour window before the malicious packages were removed.
SentinelOne defends against this campaign using its Lunar behavioral engine, which identifies specific techniques like renamed binary execution and unauthorized PowerShell activity. The SentinelOne Wayfinder team further supports organizations through proactive threat hunting and global hash blocklisting. To mitigate risk, practitioners are advised to audit environments for the 'plain-crypto-js' dependency, rotate all cloud and CI/CD credentials, and enforce strict lockfile discipline to prevent unauthorized package updates.
Top comments (0)