Sources
Axios npm Supply Chain Attack: North Korea's Sapphire Sleet Compromises 100M-Weekly-Download Package with Cross-Platform RAT
On March 31, a compromised npm maintainer account published backdoored Axios versions (1.14.1 and 0.30.4) injecting plain-crypto-js, a fake dependency whose postinstall hook silently dropped platform-specific RAT implants on macOS, Windows, and Linux. Microsoft attributed the attack to North Korean state actor Sapphire Sleet; Google independently attributed it to UNC1069. The malicious packages were live for 2-3 hours before npm removed them — safe versions are 1.14.0 and 0.30.3. Fireship's video on the attack hit 564K views in 24 hours, signaling massive developer awareness.
↳ Follow the thread