Back to Blog
Inside the SOC

Axios Supply Chain Attack: How AI Agents Caught It First

TL;DR

On March 31, 2026, the Axios npm package was compromised in a supply chain attack attributed to North Korean state actor Sapphire Sleet. Microsoft Defender flagged related activity as medium severity at multiple Dropzone customers, but it didn't classify the alerts as malicious. Dropzone's AI agents investigated every one of those alerts, confirmed the threat as Malicious Urgent, and escalated before human analysts could triage.

You're running a SOC. It's early morning, and your console is filling up with alerts from the weekend. Somewhere in the stack, Microsoft Defender has flagged something as medium severity. Not critical. Not malicious. Just suspicious.

You've got dozens of alerts ahead of it. This one doesn't look urgent. It goes in the queue.

That's exactly what happened when the Axios npm package got compromised. And at multiple Dropzone customers, AI agents caught it before anyone had time to triage.

What Was the Axios Supply Chain Attack?

Axios is one of the most widely used JavaScript libraries for making HTTP requests, with over 83 million weekly downloads on npm.

On March 31, 2026, an attacker compromised the package in three steps, all within 39 minutes:

  1. Stole the credentials of a primary Axios maintainer
  2. Changed the account's registered email to a Proton Mail address under their control
  3. Published two backdoored versions (1.14.1 and 0.30.4) to npm

The malicious versions didn't modify Axios's own code. Instead, they injected a hidden dependency called plain-crypto-js that ran a postinstall script the moment npm install finished. No user interaction required.

That script downloaded a cross-platform Remote Access Trojan (RAT) tailored to the victim's operating system:

  • Windows: A PowerShell-based RAT fetched and executed via a renamed copy of PowerShell
  • macOS: A compiled C++ binary with significant overlap with WAVESHAPER, a backdoor attributed to North Korean-linked threat cluster UNC1069
  • Linux: A Python RAT script executed via nohup for persistence

All three variants shared the same command-and-control (C2) protocol: system fingerprinting, 60-second command beaconing, arbitrary command execution, and file enumeration. The C2 server sat at sfrclak[.]com on port 8000.

Microsoft attributed the attack to Sapphire Sleet, a North Korean state actor. It was the most impactful npm supply chain attack since the ua-parser-js compromise in 2021, and a reminder that any dependency in your build pipeline is a potential attack surface.

The malicious versions were live for approximately three hours before npm pulled them. Three hours sounds like a small window. But for any organization that pulled the compromised version in that window, the RAT deployed immediately.

How Did Dropzone AI Surface the Axios Supply Chain Attack?

Microsoft Defender's detections fired. Across multiple Dropzone customer environments, alerts appeared identifying medium severity activity associated with an emerging threat actor. Microsoft was still working to provide additional context about the actor. The alerts weren't classified as malicious. They were flagged as medium severity.

Here's the problem: "medium severity" isn't "malicious." In a SOC processing hundreds of alerts, medium gets queued behind critical and high. It doesn't jump the line. It certainly doesn't get investigated first, especially outside business hours.

Dropzone's AI agents don't work that way. They don't triage by severity label. They investigate every alert with the same depth:

  • Query across the integrated security stack
  • Trace the full activity chain
  • Build an evidence trail with every finding documented
  • Deliver a verdict backed by the investigation

When the agents investigated these Defender alerts, they didn't stop at the severity classification. Here's what the full investigation looked like:

  1. Started with a Defender alert labeled medium severity
  2. Pulled endpoint telemetry and found a renamed PowerShell process running with a hidden window
  3. Traced the execution chain back to an npm postinstall script that shouldn't have been there
  4. Checked the destination URL against threat intelligence feeds and found multiple vendors had already flagged the domain as malicious
  5. Correlated the signals and confirmed suspicious behavior tied to known malicious infrastructure, upgrading the verdict to Malicious Urgent

Each step built on the last, the same way a senior analyst would work through it, but completing the investigation in minutes instead of hours. That's a correlation that detections and analytics alone can't make. It requires a deeper investigation.

This happened across multiple Dropzone customer environments. Same attack. Same detection gap where the alert severity didn't reflect the true threat. Same exposer by AI agents that don't sleep, don't deprioritize, and don't skip an alert because the queue is full.

What happens when a "medium" alert gets deprioritized?

It sits. Hours pass. Maybe a shift change happens. Maybe it gets bulk-closed during triage because the team is underwater.

Meanwhile, the Axios RAT was beaconing to its C2 server every 60 seconds. That interval wasn't idle. Each check-in gave the attacker the ability to run arbitrary commands, enumerate files, and map the compromised system.

Within the first few minutes, the RAT had already fingerprinted the operating system, user privileges, and network environment. Within the first hour, an attacker could have moved laterally, harvested credentials stored in environment variables or configuration files, and established secondary persistence that would survive the initial RAT being removed.

The alert was detected on time. The gap between "detected" and "investigated" is where real attacks live.

Why Does Every Alert Need a Full Investigation?

Security tools detect and classify based on signatures and known patterns. They're good at it. Microsoft Defender did its job: it saw the suspicious activity and fired an alert.

But detection and investigation are different problems.

  • Detection asks: "Is something happening?"
  • Investigation asks: "What's happening, how severe is it, and what do we do about it?"

A software supply chain attack is specifically designed to break the severity-label model. It arrives through trusted channels. A package your developers installed last month just updated, the way it does every month.

Nothing about the delivery mechanism looks unusual. The malicious payload hides behind a legitimate dependency name, runs during a normal install process, and establishes persistence before any detection tool has a signature for it.

That's why initial severity classifications miss these attacks. The detection layer sees individual signals. Something suspicious happened. A script executed. A network connection fired.

But no single signal screams "critical" on its own. The full picture only emerges when you investigate, when you trace the chain from the initial trigger through every subsequent action and correlate against known threat intelligence.

The Axios attack proved the point. A brand-new supply chain compromise through a trusted package doesn't trigger a "critical" label on day one. The only way to identify it is to investigate regardless of the label.

How does investigation change the outcome?

When AI agents run the full investigation regardless of classification, the severity label becomes an input, not a verdict. The investigation determines the real priority.

The organizations that caught the Axios compromise fastest weren't the ones with the best detection. They were the ones where every alert, regardless of how it was initially classified, got the same thorough investigation.

Key Takeaways

  • Severity labels aren't verdicts. Microsoft Defender classified the Axios activity as medium severity. Dropzone's AI agents investigated and confirmed it was malicious.
  • Supply chain attacks exploit trust. The Axios compromise weaponized a package with 83 million weekly downloads. No user interaction required for the RAT to deploy.
  • Investigation closes the gap detection opens. Detection tells you something happened. Investigation tells you what, how bad, and what to do next.
  • AI agents don't skip the queue. A "medium severity" alert gets the same investigation depth as a "critical" one.
  • Point products can't keep up alone. Threats evolve faster than signatures. You need something that investigates across your full security stack the way an analyst would, 24/7.
  • Speed matters. The Axios RAT beaconed every 60 seconds. Hours of queue time aren't neutral. They're exposure.

See how Dropzone investigates every alert, regardless of severity label. Request a demo.

Frequently Asked Questions

What was the Axios supply chain attack?
On March 31, 2026, an attacker compromised the npm account of an Axios maintainer and published two backdoored versions (1.14.1 and 0.30.4). These versions installed a hidden dependency that deployed a cross-platform RAT. Microsoft attributed the attack to Sapphire Sleet, a North Korean state actor. The malicious packages were live for approximately three hours before removal.
How did Dropzone AI surface the Axios attack?
Dropzone's AI agents investigated Microsoft Defender alerts classified as medium severity at multiple customer environments. The agents traced endpoint telemetry to a stealthy PowerShell execution connecting to infrastructure already flagged as malicious by multiple vendors. That correlation between suspicious behavior and confirmed malicious infrastructure led to a Malicious Urgent verdict, escalating the alerts before human analysts could triage.
What is a supply chain attack in cybersecurity?
A supply chain attack compromises a trusted software component, like an open-source library or vendor update, to reach downstream users. Attackers exploit trust relationships so that victims install malicious code through normal workflows. A single compromised package can affect millions of organizations, as the Axios attack demonstrated with its 83 million weekly downloads.
How can AI improve supply chain attack prioritization?
AI agents run full investigations regardless of initial severity classification. Traditional SOC workflows depend on human analysts to triage and prioritize, which means lower-severity alerts can sit uninvestigated for hours. AI agents close that gap by treating every alert with the same rigor, surfacing threats that might otherwise sit in the queue during a busy shift.
What should you do if you installed Axios 1.14.1 or 0.30.4?
Downgrade immediately to Axios 1.14.0 or 0.30.3. Rotate all credentials that were accessible on affected systems, including npm tokens, cloud access keys, API tokens, SSH keys, and database passwords. Audit CI/CD pipelines for exposure and block egress traffic to the C2 domain sfrclak[.]com. Treat compromised systems as fully breached.
headshot of Ethan Packard
Ethan Packard
Technical Marketing Engineer

Technical marketing leader with 10+ years across SOC operations, SOAR, SIEM, and AI-driven security platforms. Proven ability to translate deep hands-on expertise into demos, technical content, enablement assets, and competitive narratives that accelerate sales, influence product direction, and resonate with security practitioners.Background spans startup → acquisition → the leading cybersecurity companies with direct ownership of demos, videos, POC guides, and field-facing content for enterprise and mid-market buyers.

Read More

Self-Guided Demo

Test drive our hands-on interactive environment. Experience our AI SOC analyst autonomously investigate security alerts in real-time, just as it would in your SOC.
Self-Guided Demo
A screenshot of a dashboard with a purple background and the words "Dropzone AI" in the top left corner.

Read More from the Category

Inside the SOC

Axios Supply Chain Attack: How AI Agents Caught It First

Microsoft Defender flagged it as suspicious. Dropzone AI agents investigated and confirmed an active Axios supply chain attack at multiple customers.
Ethan Packard
April 20, 2026
a robotic hand typing on a keyboard in a dark, dramatic setting, overlaid with the text "AI SOC Diaries" and "Case Number: 225578."
Inside the SOC

From Subtle Anomalies to Confirmed Malice: Reconstructing a Malicious Installer Attack Chain

Why would a scheduled task run every 18 minutes? That question led to a spoofed Microsoft Teams page, a signed installer, and a hidden DLL. One anomaly unraveled a full compromise.
Joe Choi
April 15, 2026
security operations center, a female analyst standing at center facing a large curved screen wall displaying a global threat map with "Hunt Complete — Controls Validated" in teal text, flanked by two humanoid AI agents seated at workstations running code
Inside the SOC

The Value of a Clean Hunt: Finding Insights When You Don't Find Threats

A threat hunt that finds nothing is not a failed hunt. Learn how to measure and report threat hunting ROI from every clean hunt, and why AI changes the math.
Tyson Supasatit
April 13, 2026
Copyright © Dropzone AI 2026. All Rights Reserved.