Lumara in Action: How We Caught a Poisoned npm Package Before Any Rule Existed

Modern applications run on npm, the default package registry for JavaScript, where developers pull the open-source libraries that make up most of any modern app's code. axios is one of the most-downloaded packages on it: a JavaScript HTTP library fetched around 100 million times a week. It sits inside web apps, dashboards, mobile apps, and customer platforms across virtually every industry.

That ubiquity is what made axios attractive to threat actors.

On 31 March 2026, axios was compromised. Tampered versions sat live on the public registry for two to three hours, and every routine install during that window walked past the firewall.

If your organisation builds or runs software, you almost certainly have axios somewhere in your stack.

A Stolen Token Poisoned axios

A North Korean state-sponsored group tracked as UNC1069 / Sapphire Sleet didn't need to find a vulnerability in anyone's application. They just needed to compromise something those applications already trusted.

The group obtained a lead maintainer's long-lived npm classic token, the single credential needed to publish, and used it to push tampered versions of axios (1.14.1 and 0.30.4) to the public registry. It looked like a routine update. The only difference was a hidden new dependency, plain-crypto-js, which carried the payload.

When a developer ran npm install, a file called setup.js executed through npm's standard install hooks, with no prompt and no approval. It detected the operating system and downloaded a Remote Access Trojan built for macOS, Windows, or Linux. Once active, the RAT ran ps -eo user,pid,command, dumping the full process table.

That one command handed over a detailed map of the environment:

• User accounts. Usernames, elevated processes, and service accounts.

• Running software. IDEs, Docker, VPNs, security agents, and cloud tooling.

• Internal network. Hostnames, IP addresses, and URLs embedded in command arguments.

• Secrets and tokens. API keys, GitHub tokens, and credentials passed as command-line flags.

• Dev stack intel. Node.js, Python, and framework versions.

• Cloud infrastructure. AWS CLI, kubectl, and terraform commands that reveal how the environment is wired.

All of it went to a command-and-control server. The malware then replaced its own files with clean decoys, leaving nothing for a manual audit to find.

The goal was reconnaissance, groundwork for a larger, more targeted campaign.

Hunting Caught It in Two Hours

Our SOC detected this through proactive, AI-assisted threat hunting. When the advisories started circulating on 31 March, SOC analyst Jordan Swebeck went looking before any detection rule existed, and well before any customer raised a ticket.

The hunt focused on two indicators across our customer base: the compromised axios versions (1.14.1 and 0.30.4), and the malicious dependency plain-crypto-js, which has no legitimate reason to appear in any install. On one endpoint, a developer's MacBook, both were present.

Finding the package was the first signal. Confirming the RAT was active came from a process chain in our SentinelOne telemetry: a process disguised as a macOS system service, com.apple.act.mond, spawning a shell command, sh -c ps -eo user,pid,command. That's the RAT's enumeration beacon, harvesting the full process table. Data had already been sent to the attacker's command-and-control server. The endpoint was isolated and the customer was on the phone within minutes.

The malicious package was removed and the command-and-control domain was blocked at the firewall. Keys and tokens on the affected machine were rotated. A clean disk scan confirmed no persistence and no lateral movement. The endpoint was reconnected. The entire incident was closed in under two hours.

What Most Teams Don't See Coming

The customer's experience of the same event was different. By the time the phone rang, we had already found it and contained it. Until that call, none of it had been visible to them. That blind spot is what most organisations underestimate.

The blind spot starts in the dependency tree. A developer installs axios because they need an HTTP client. They're not thinking that axios pulls in its own dependencies, or that those dependencies can change between versions without review. Most organisations have no visibility into what gets installed when a developer runs npm install on a laptop. There's no approval process, no review gate. It just happens.

When we called the customer's Head of IT, it was the first they'd heard of any of it. They didn't know about the vulnerable version or the malicious dependency, and they certainly didn't know a RAT had already run and exfiltrated system information from the machine. The malware had even cleaned up after itself, replacing its own files with clean copies to avoid detection. Without that morning's hunt, the compromise would likely have stayed unnoticed until the attacker chose to use the access.

A compromise like this arrives pre-installed inside a package your team trusted months ago. Your firewall has no reason to block a routine install, and your endpoint tooling has no reason to flag one. The difference between this and a full breach came down to one thing: someone was actively looking.

As attacks go, this one was blunt. A more patient attacker would have used the same reconnaissance to map the environment quietly over weeks, then moved laterally with stolen credentials once they understood the ground. The next supply chain compromise might not be so loud.

For any organisation running npm or similar package managers, four controls make the most difference:

• Lockfiles and pinned versions. Dependencies pinned to an exact version through a lockfile don't inherit a poisoned update by accident. Automatic resolution to "latest" in production is where that door stays open.

• Install-script controls. npm's preinstall and postinstall hooks are the exact mechanism the attacker used to deploy the RAT. Environments that disable these hooks by default close off that path.

• Verified package provenance. Critical dependencies that ship with signed, verified builds give defenders a reason to trust them. A new version that can't prove where it came from deserves suspicion.

• Short-lived credentials. This entire attack was enabled by a single long-lived npm classic token. Tokens and API keys that expire quickly and rotate on a schedule limit what any one compromise can unlock.

These controls help. Even with all of them in place, no team has the hours to manually review every dependency update across every project. That is what live detection is for.

Live Detection Is the Difference

Standing up an in-house Security Operations Centre that can spot a supply chain compromise in real time is out of reach for most Australian businesses. Lumara gives you that capability without standing up the team yourself.

Our SOC runs continuous threat hunting and AI-assisted detection across your environment, identifying compromised packages and anomalous endpoint behaviour before an attacker can use what they've found. When we caught the axios compromise on a client endpoint, the customer heard from us by phone within minutes, containment already underway.

If a poisoned package was installed in your environment this morning, would you actually know? If you're not confident in the answer, contact our team to see what Lumara can do for your business.