[ /report/492 // public // by @Unknown ]

CRITICALSTART® Security Advisory

Generated 2026-05-16 · 4 TTPs · 49 IOCs · 1 actors

report_id: #492

// 01Executive summary

On March 31, 2026, the npm package Axios was compromised via a maintainer account hijack, leading to the publication of malicious versions (1.14.1 and 0.30.4) injecting a cross-platform Remote Access Trojan (RAT). This RAT is capable of fully compromising Windows, macOS, and Linux systems. Immediate action is required to identify and remove these compromised Axios versions and the malicious dependency plain-crypto-js@4.2.1 from all environments. Block the C2 server sfrclak.com:8000 (142.11.206.73) at network perimeters to prevent further compromise and data exfiltration. This incident is attributed with high confidence to BlueNoroff, a financially motivated subgroup of Lazarus Group, highlighting an urgent software supply chain threat.

// 02Key metrics

// ttps
4
ATT&CK techniques
// iocs
49
indicators
// actors
1
threat groups
// kwords
10
keywords

// 03MITRE ATT&CK

// 04Threat actors

BlueNoroff

// 05Indicators of compromise

// ips5

  • 142.11.206.73
  • 23.254.253.75
  • 142.11.209.109
  • 23.254.226.90
  • 104.168.214.151

// domains22

  • node.js
  • setup.js
  • com.apple.act.mond
  • package.md
  • trojan.boxter
  • com.apple.security.cs.debugger
  • callnrwise.com
  • nrwise.com
  • axios-supply-chain-attack-pushes-cross.html
  • teampcp-pushes-malicious-telnyx.html
  • matuaner.com
  • delphidigital.org
  • selinicapital.com
  • zoom-client.com
  • us05web-zoom.biz
  • metamask.awaitingfor.site
  • productnews.online
  • firstfromsep.online
  • swissborg.blog
  • plain-crypto-js-4.2.1.tgz
  • axios-1.14.1.tgz
  • axios-0.30.4.tgz

// urls13

  • https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus
  • https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis
  • https://www.elastic.co/security-
  • https://www.jamf.com/blog/bluenoroff-
  • https://snyk.io/blog/a-post-mortem-of-the-
  • https://about.codecov.io/security-update/
  • https://sansec.io/research/polyfill-supply-chain-attack
  • https://www.openwall.com/lists/oss-
  • https://www.ic3.gov/PSA/2024/PSA240903
  • https://security.criticalstart.com/rs/586-OQG-
  • https://www.sonatype.com/state-of-the-software-supply-
  • https://www.stepsecurity.io/blog/axios-compromised-on-npm-
  • http://sfrclak.com:8000/6202033

// sha2568

  • e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
  • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
  • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
  • f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
  • 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
  • 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd
  • 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f

// md51

  • 0c0fc7a0c23cdb5e1c8f66b208053ed6

// emails0

none

// cves0

none

// 07YARA rule

// Failed to generate YARA rule

// 08Keywords

{'keyword': 'com', 'score': 13.8827} {'keyword': 'malicious', 'score': 11.8658} {'keyword': 'axios', 'score': 11.1572} {'keyword': 'execution', 'score': 10.9749} {'keyword': 'supply', 'score': 10.8114} {'keyword': 'chain', 'score': 10.4918} {'keyword': 'supply chain', 'score': 10.3158} {'keyword': 'critical', 'score': 10.2039} {'keyword': 'software', 'score': 10.0741} {'keyword': 'critical start', 'score': 9.727}

// 09Attack chain

// 10Technical mitigations

// 12Export

// format: // sign in to export ./sign_in