BLOG

Axios Attacker Behind Three More Malicious NPM Packages

Three malicious NPM packages connected to the March Axios compromise have been quietly harvesting developer credentials since early April

By c0a15726-c5b1-4b0d-85e6-fe15553df9e2 · 2026-05-19T12:00:00.000Z

The OpenSourceMalware team discovered a group of three malicious packages that deliver a powerful infostealer. They appear to be connected to the high-profile Axios package compromise that shook the JavaScript ecosystem in March 2026. While the security community focused on the immediate Axios incident response, the same threat actor was quietly deploying secondary infrastructure that has been harvesting developer credentials for nearly two months.

These packages represent a sophisticated follow-up campaign, using the same cryptographic keys as the original Axios attack but employing different command & control infrastructure to evade detection efforts focused on the known Axios IOCs.

redeem-onchain-sdk versions

The March 2026 Axios compromise

On March 31, 2026, attackers compromised the npm account of axios lead maintainer Jason Saayman via a social engineering campaign (fake company, branded Slack workspace, Teams call with a malicious "fix" prompt) and published two backdoored versions, 1.14.1 and 0.30.4, that injected a phantom dependency, plain-crypto-js@4.2.1, whose postinstall hook dropped a cross-platform RAT on Windows, macOS, and Linux from sfrclak[.]com:8000 before self-deleting and overwriting its own package.json. The attacker bypassed axios's OIDC publishing workflow with a stolen long-lived npm token and the malicious versions were live for about 3 hours before being removed, but with ~100M weekly downloads the blast radius was significant. Google Threat Intelligence Group attributed the campaign to UNC1069, a financially motivated North Korea-nexus actor, with Microsoft tracking the same activity as Sapphire Sleet

Many outlets called this event the biggest software supply chain attack of the year, and hundreds (thousands?) of organizations around the world have been affected.

To understand the significance of this new discovery, it's crucial to recall the timeline of the original Axios compromise:

Date

Axios Incident Events

March 30, 2026

plain-crypto-js@4.2.0 published to NPM as attack preparation

March 31, 00:21 UTC

axios@1.14.1 released with malicious dependency injection

March 31, ~01:00 UTC

axios@0.30.4 published; external detections begin

March 31, 01:38 UTC

Collaborator opened deprecation PR and contacted NPM

March 31, 03:15 UTC

Malicious Axios versions removed from NPM

March 31, 03:29 UTC

plain-crypto-js removed from NPM

The original Axios attack lasted approximately 3 hours and used social engineering to compromise the lead maintainer's computer, gaining access to NPM publishing credentials. The attack payload established C&C communication with sfrclak[.]com (142.11.206.73:8000).

The deployment timeline of these secondary packages reveals a calculated response to the Axios incident containment:

Date

Secondary Campaign Events

March 31, 2026

Axios malicious versions removed from NPM (03:15 UTC)

April 1, 2026

redeem-onchain-sdk@1.0.0 first published (~18 hours later)

April 2, 2026

First update to redeem-onchain-sdk

April 23, 2026

Major version update (1.0.2)

April 29, 2026

Rapid iteration with versions 1.0.4-1.0.7

April-May 2026

nicegui and period-newline packages published

The timing is remarkable: less than 18 hours after the Axios malicious packages were removed from NPM, the first secondary payload was already live on the registry. This suggests the threat actor had prepared backup infrastructure and was ready to immediately deploy alternative delivery mechanisms.

The attackers have been operating this secondary campaign for nearly two months, refining their approach while security attention remained focused on the known Axios IOCs.

Analysis of newly-discovered malware

The connection to the March 2026 Axios compromise becomes clear when examining the cryptographic artifacts of the latest packages. All three packages use the identical XOR decryption key `OrDeR_7077` that was first observed in the original Axios attack payload. However, while the Axios incident used C2 infrastructure at sfrclak[.]com (142.11.206.73:8000), these packages communicate with entirely different infrastructure at 18.208.244.120:9999.

This suggests a deliberate strategy: deploy secondary infrastructure with the same malware capabilities but different IOCs to maintain persistence even after the primary campaign infrastructure was discovered and blocked. The easiest way to do this? Add this package to public GitHub repos and then invite Polymarket developers to work on them:

The Secondary Payload Trio

The ryanmccollum1 NPM user has published a total of seven package downloads with 5,285 downloads in total:

redeem-onchain-sdk: 2,746 downloads
nicegui: 1,609 downloads
period-newline: 387 downloads
agent-trace-kit: 140 downloads
mcp-contract-tester: 139 downloads
agui-session-recorder: 132 downloads
neat-terminal-visualizer-84721: 132 downloads

Of those seven, three of them employ strategically chosen payloads targeting Polymarket and two utilities:

redeem-onchain-sdk@1.0.7 - Masquerades as "Polymarket on-chain allowance and redemption utilities"
nicegui@0.1.4 - Disguised as a text formatting utility
period-newline@0.1.0 - Nearly identical to nicegui, also claiming to be a text formatter

All three packages share identical attack infrastructure and use the same malicious payload delivery mechanism through NPM's postinstall hook, but crucially, they avoid the IOCs that security teams were hunting for after the Axios incident.

1. Entrypoint Analysis

Execution Method: Auto-executes immediately when the file is required/imported
Self-Destruction: First deletes itself (index5_test.js) and rewrites package.json to hide evidence
Obfuscation: Uses multi-layer encryption (AES-256-CTR + XOR + Base64) to hide malicious strings
Steganography: Uses innocent class names like MarketDataHandler to appear legitimate

2. Execution Flow

ENTRYPOINT: index5_test.js (auto-executing)
  ↓
CLEANUP: Delete self + overwrite package.json
  ↓
RECON: Collect system info (hostname, username, external IP)
  ↓
HARVEST: Steal sensitive config files
  ↓
ENCRYPT: AES-256-GCM encryption of stolen data
  ↓
EXFIL: TCP connection to C2 server

3. Network Communications

Primary C2 Server

IP Address: 18.208.244.120
Port: 9999
Protocol: Custom binary protocol over TCP
Encryption: AES-256-GCM with 32-byte static key

Secondary Connection

URL: https://api.ipify.org?format=json
Purpose: Discover external IP address of infected machine
Method: HTTPS GET request

4. Targeted Data

Credentials & Authentication Files

.env files (API keys, secrets, environment variables)
.home/.aws/credentials (AWS access keys)
.home/.ssh/id_rsa (SSH private keys)
.home/.ssh/config (SSH configurations)
.home/.npmrc (NPM registry credentials)
.home/.netrc (Network authentication credentials)

Platform-Specific Targets

Windows:
AppData/ssh/known_hosts
LocalAppData/Google/Chrome/User Data/Default/Login Data (browser saved passwords)
Docker: .home/.docker/config.json (registry authentication)
Temporary files: /tmp/session_temp.json

Development Activity Intelligence

Git commit history from the last month (git log --since="1 month ago" --format=oneline)

5. Technical Implementation

Obfuscation Scheme

Multi-layer string encryption: AES-256-CTR + custom XOR cipher + Base64 encoding
Dynamic string decoding: Proxy-based lazy decryption of obfuscated strings
Control flow obfuscation: State machine pattern to hide execution flow

Data Exfiltration Protocol

Encryption: AES-256-GCM with static key 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
Frame format: 4-byte length prefix + 12-byte IV + encrypted payload + 16-byte auth tag
Payload structure: JSON containing metrics and metadata
Transport: Raw TCP socket connection

Anti-Analysis Features

Self-deletion to remove evidence
Minimal error logging to /tmp/.redeem_err.log
Timeout protection on network operations (5-second limit)
Graceful failure handling to avoid detection

6. Visual Attack Flow

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   ENTRYPOINT    │ -> │    CLEANUP      │ -> │    RECON        │
│ index5_test.js  │    │ Delete self +   │    │ hostname, user  │
│ (auto-execute)  │    │ clean pkg.json  │    │ external IP     │
└─────────────────┘    └─────────────────┘    └─────────────────┘
          |                      |                      |
          v                      v                      v
┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│    HARVEST      │ -> │    ENCRYPT      │ -> │     EXFIL       │
│ .env, .ssh/,    │    │ AES-256-GCM     │    │ 18.208.244.120  │
│ .aws/, .npmrc   │    │ JSON payload    │    │ Port 9999 (TCP) │
│ git activity    │    │                 │    │                 │
└─────────────────┘    └─────────────────┘    └─────────────────┘

7. IOCs

Network Indicators

18.208.244.120:9999 - Primary C2 server
api.ipify.org - IP discovery service
TCP connections to port 9999

File System Indicators

/tmp/.redeem_err.log - Error log file
index5_test.js - Malicious payload (self-deletes)
Modified package.json with minimal content:

Behavioral Indicators

Unauthorized access to credential files
Git command execution for reconnaissance
Outbound encrypted TCP traffic to non-standard ports
File deletion and package.json modification

8. Deobfuscation Results

The malware uses a sophisticated multi-layer obfuscation scheme identified by our deobfuscator as:

NiceGUI Multi-layer Obfuscation (98% confidence)
UNC1069 Multi-layer XOR Obfuscation (98% confidence)

Key obfuscated strings include:

C2 server IP: MTguMjA4LjI0NC4xMjA= (base64: 18.208.244.120)
Port: OTk5OQ== (base64: 9999)
File paths encoded with base64
Encryption keys split and concatenated

Indicators of Compromise (IOCs)

Original Axios Campaign (March 2026)

npm/axios@1.14.1
npm/axios@0.30.4
npm/plain-crypto-js@4.2.0
sfrclak[.]com (C2 domain)
142.11.206.73:8000 (C2 infrastructure)

Secondary Campaign (April-May 2026) - NEWLY DISCOVERED

npm/redeem-onchain-sdk@1.0.7
npm/nicegui@0.1.4
npm/period-newline@0.1.0
18.208.244.120:9999 (C2 infrastructure)

File Indicators (Secondary Campaign)

dist/index5_test.js (malicious payload in all packages)
.redeem_err.log (error logging file in temp directory)

Network Indicators (Secondary Campaign)

https://api.ipify.org?format=json (IP address reconnaissance)
TCP connection to 18.208.244.120:9999 (C2 communication)

Shared Cryptographic Evidence

XOR Key: OrDeR_7077 (IDENTICAL across both campaigns)
AES Key (Secondary): 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
Cipher: AES-256-GCM with AES-256-CTR for string decryption

Attribution: Confirmed Axios Connection

The attribution to the original Axios threat actor is now definitively established through cryptographic evidence. The XOR decryption key OrDeR_7077 serves as a unique fingerprint linking these packages directly to the March 2026 Axios compromise. This is not coincidental - the same malware codebase, encryption schemes, and operational techniques are present across both campaigns.

Key Evidence Linking the Campaigns:

Identical XOR key: OrDeR_7077 used in both Axios and secondary packages
Same obfuscation patterns: Multi-layer AES + XOR decryption schemes
Identical payload structure: Same data collection targets and encryption methods
Strategic timing: Secondary infrastructure deployed within 18 hours of Axios containment

The choice to create both generic utility packages (nicegui, period-newline) and specific Polymarket tooling (redeem-onchain-sdk) suggests the threat actor expanded their targeting beyond the original Axios victims to include the crypto trading and prediction market ecosystem.

Remediation

Immediate Actions

Remove affected packages: npm uninstall redeem-onchain-sdk nicegui period-newline
Audit installed packages: Review your package.json and package-lock.json files
Rotate credentials: Change any secrets that may have been exposed:

AWS access keys and secrets
SSH keys
NPM tokens
Docker registry credentials
Git repository access tokens

Detection

Check your systems for signs of compromise:

# Look for the malicious payload
find . -name "index5_test.js" -type f

# Check for error logs
ls -la /tmp/.redeem_err.log

# Review recent network connections to the C2 server
netstat -an | grep 18.208.244.120

Conclusion

This discovery fundamentally changes our understanding of the March 2026 Axios compromise. What appeared to be a contained 3-hour incident was actually the visible tip of a much larger, ongoing operation. The threat actor behind the Axios attack has been operating secondary infrastructure for nearly two months, quietly harvesting credentials from developers who believed they were safe after the initial IOCs were blocked.

The implications are severe:

The Axios attacker was more prepared and sophisticated than initially assessed
Current threat hunting efforts focused only on known Axios IOCs missed this active campaign
The same cryptographic keys prove definititive attribution to the original Axios threat actor
The attacker has successfully expanded beyond their original target scope to include crypto/DeFi developers

This represents one of the most persistent and well-orchestrated supply chain attacks observed in the NPM ecosystem. Organizations that implemented blocking rules for the known Axios IOCs should immediately extend their protection to include the secondary campaign indicators.

The fact that these packages remained undetected for two months demonstrates the critical importance of cryptographic analysis and behavioral detection methods that go beyond simple IOC matching.

If you encounter similar packages or suspicious activity, please report them to OpenSourceMalware.com.

Stay vigilant - this threat actor has proven they play the long game.