Defending Against Supply Chain Attacks: How AI-Powered EDR Neutralized the Axios RAT Campaign
The March 2026 compromise of the Axios npm package by a North Korean state actor exposed the fragility of software supply chains. Within 89 seconds of the malicious release, SentinelOne's autonomous AI EDR detected and countered the threat—proving that only machine-speed defenses can keep pace with adversaries. Below, we unpack the attack's mechanics, the failure of legacy security controls, and how SentinelOne stops such attacks autonomously.
What exactly happened during the Axios npm attack?
On March 31, 2026, an attacker hijacked the npm credentials of the primary maintainer of Axios, the most widely used HTTP client in JavaScript (100 million weekly downloads, present in ~80% of cloud environments). They published two backdoored versions: axios@1.14.1 (tagged 'latest') and axios@0.30.4 (tagged 'legacy'). Each introduced a single malicious dependency: plain-crypto-js@4.2.1. This trojan's postinstall hook silently deployed a cross-platform RAT (remote access trojan) called WAVESHAPER.V2, communicating over HTTP to C2 infrastructure at sfrclak[.]com. The malicious packages were live for about three hours, during which an estimated 600,000 downloads occurred without any user interaction beyond a routine npm install. The first infection was observed just 89 seconds after publication, illustrating the need for instantaneous defense.
Who was behind the attack and how did they compromise the credentials?
The attacker is tracked as UNC1069 by Google Threat Intelligence and Sapphire Sleet by Microsoft—a suspected North Korean state actor. They compromised the maintainer's npm credentials, specifically a long-lived npm access token. Crucially, the Axios project had adopted OIDC Trusted Publishing, a modern hardening measure promoted to prevent credential-based attacks. However, the OIDC configuration coexisted with the legacy token. npm's authentication logic prioritizes environment variable tokens over OIDC when both are present. The attacker exploited this by stealing the legacy token, bypassing the modern control entirely. This architectural flaw—security controls coexisting with the mechanisms they are meant to replace—created a false sense of protection. SLSA provenance and GitHub Actions workflows were also in place but irrelevant once the old key was compromised.
Why did existing security measures like OIDC fail to prevent the attack?
The failure was not in the OIDC technology itself but in its implementation. The Axios project had OIDC Trusted Publishing enabled alongside a long-lived npm access token. npm's authentication logic gives precedence to environment variable tokens when both are present. The attacker stole the legacy token, effectively walking through an unlocked back door while the front door had high-tech locks. This scenario underscores a critical lesson: security controls that coexist with the mechanisms they replace provide a false sense of protection. The project had SLSA provenance, GitHub Actions workflows, and Trusted Publishing—all rendered useless because the old key remained active. The attacker exploited this architectural oversight, bypassing every modern control the project had in place. The lesson is clear: removing legacy credentials is as important as adding new security layers.
How did the attackers evade detection and leave minimal forensic evidence?
The attacker demonstrated operational sophistication. They pre-staged a clean version of plain-crypto-js 18 hours before the malicious release, to evade novelty-based detection systems that flag only new or unknown files. Publication occurred just after midnight UTC on a Sunday to maximize the response window, exploiting lower staffing levels. After execution, the malware self-deleted and swapped its malicious package.json for a clean stub. This left forensic evidence only in lockfiles and audit logs, making manual investigation challenging. The combination of pre-staging, timing, and self-destruction created a scenario where traditional detection tools were blind to the threat. Only autonomous, behavior-based AI defenses could catch such a stealthy attack in its earliest moments.
How does SentinelOne's AI EDR protect against such supply chain threats autonomously?
SentinelOne's AI-powered Endpoint Detection and Response (EDR) operates at machine speed, with no human intervention required. In this attack, the first infection was detected just 89 seconds after the malicious package was published—before manual teams could even react. The platform uses behavioral AI to identify anomalous process execution patterns, such as the postinstall hook deploying a RAT. It correlates events across the kill chain, from the modified package.json to the C2 communication. Autonomous response actions—like killing the process, quarantining files, and blocking network connections—are executed in milliseconds. This layered defense stops attacks at every stage, even when adversaries pre-stage clean files and self-delete artifacts. Because it doesn't rely solely on signatures or novelty detection, SentinelOne catches zero-day supply chain attacks that evade traditional tools.
What can organizations do to further protect their environments from similar attacks?
While autonomous EDR is critical, organizations should take additional steps. First, audit and remove legacy credentials—OIDC Trusted Publishing means nothing if old tokens remain active. Second, implement strict dependency monitoring with tools that alert on unexpected new packages or modified install scripts. Third, enable runtime behavioral analysis on all endpoints, especially those that run npm install commands. Fourth, adopt supply chain provenance verification such as SLSA attestation to ensure packages haven't been tampered with. Fifth, segment networks to limit the blast radius of any compromised system. Finally, leverage AI-driven EDR that can detect and respond autonomously within seconds—because as this attack shows, manual workflows have no response window. They have a spectator seat.