{ "campaign": "axios", "cve": "CVE-2026-34841", "network": { "c2_domains": [ {"value": "sfrclak.com", "context": "Primary C2", "incident": "axios"}, {"value": "callnrwise.com", "context": "Secondary C2 (Unit 42)", "incident": "axios"} ], "c2_ips": [ {"value": "142.11.206.73", "context": "sfrclak.com - Hostwinds LLC (AS54290), Seattle", "incident": "axios"}, {"value": "142.11.196.73", "context": "Additional C2 IP (Antiy)", "incident": "axios"}, {"value": "142.11.199.73", "context": "Additional C2 IP (Antiy)", "incident": "axios"} ], "c2_urls": [ {"value": "http://sfrclak[.]com:8000/", "context": "Payload fetch endpoint", "incident": "axios"} ] }, "hashes": { "npm_packages": [ {"value": "2553649f2322049666871cea80a5d0d6adc700ca", "context": "axios@1.14.1 (SHA-1)", "incident": "axios"}, {"value": "d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71", "context": "axios@0.30.4 (SHA-1)", "incident": "axios"}, {"value": "07d889e2dadce6f3910dcbc253317d28ca61c766", "context": "plain-crypto-js@4.2.1 (SHA-1)", "incident": "axios"} ], "affected_packages": [ {"value": "@shadanai/openclaw@2026.3.31-1", "context": "Secondary victim - vendored plain-crypto-js (Socket)", "incident": "axios"}, {"value": "@shadanai/openclaw@2026.3.31-2", "context": "Secondary victim - vendored plain-crypto-js (Socket)", "incident": "axios"}, {"value": "@qqbrowser/openclaw-qbot@0.0.130", "context": "Secondary victim - shipped tampered axios@1.14.1 in node_modules (Socket)", "incident": "axios"} ], "tarballs": [ {"value": "5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd", "context": "axios-1.14.1.tgz (SHA-256)", "incident": "axios"}, {"value": "59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f", "context": "axios-0.30.4.tgz (SHA-256)", "incident": "axios"} ], "malware_files": [ {"value": "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "context": "plain-crypto-js/setup.js (SHA-256)", "incident": "axios"}, {"value": "7658962ae060a222c0058cd4e979bfa1", "context": "setup.js (MD5) - Trojan/JS.OrDeR (Antiy)", "incident": "axios"}, {"value": "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd", "context": "system.bat script (SHA-256)", "incident": "axios"}, {"value": "ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c", "context": "6202033 script (SHA-256)", "incident": "axios"}, {"value": "04e3073b3cd5c5bfcde6f575ecf6e8c1", "context": "Windows PS backdoor (MD5) - Trojan/PowerShell.OrDeR (Antiy)", "incident": "axios"}, {"value": "9663665850cdd8fe12e30a671e5c4e6f", "context": "Linux Python backdoor (MD5) - Trojan/Python.OrDeR (Antiy)", "incident": "axios"}, {"value": "7a9ddef00f69477b96252ca234fcbeeb", "context": "macOS Mach-O backdoor (MD5) - Trojan/MacOS.OrDeR (Antiy)", "incident": "axios"} ], "rat_binaries": [ {"value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "context": "RAT - Windows (SHA-256)", "incident": "axios"}, {"value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "context": "RAT - macOS (SHA-256)", "incident": "axios"}, {"value": "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf", "context": "RAT - Linux (SHA-256)", "incident": "axios"} ] }, "github": { "advisories": [ {"value": "GHSA-fw8c-xr5c-95f9", "context": "GitHub Security Advisory", "incident": "axios"} ], "compromised_accounts": [ {"value": "jasonsaayman (npm)", "context": "Axios maintainer - email changed to ifstap@proton.me", "incident": "axios"} ], "attacker_accounts": [ {"value": "nrwise (npm)", "context": "nrwise@proton.me - plain-crypto-js author", "incident": "axios"}, {"value": "ifstap@proton.me", "context": "Attacker email on compromised jasonsaayman", "incident": "axios"} ] }, "attribution": { "threat_actor": [ {"value": "UNC1069", "context": "Google TIG designation", "incident": "axios"}, {"value": "Sapphire Sleet", "context": "Microsoft designation", "incident": "axios"}, {"value": "BlueNoroff", "context": "Alias (CryptoCore, STARDUST CHOLLIMA)", "incident": "axios"} ], "malware_family": [ {"value": "WAVESHAPER.V2", "context": "Google TIG classification", "incident": "axios"}, {"value": "OrDeR", "context": "Antiy classification (from XOR key OrDeR_7077)", "incident": "axios"} ], "motivation": [ {"value": "Cryptocurrency wallet theft", "context": "Microsoft assessment", "incident": "axios"} ], "nation_state": [ {"value": "DPRK (North Korea)", "context": "Confirmed by Google TIG, Microsoft", "incident": "axios"} ] }, "malware": { "obfuscation": [ {"value": "OrDeR_7077", "context": "XOR + Base64 key", "incident": "axios"}, {"value": "6202033", "context": "Beacon identifier", "incident": "axios"} ], "file_paths": [ {"value": "%PROGRAMDATA%\\wt.exe", "context": "Windows - renamed PowerShell", "incident": "axios"}, {"value": "%PROGRAMDATA%\\system.bat", "context": "Windows - persistence script", "incident": "axios"}, {"value": "%TEMP%\\6202033.vbs", "context": "Windows - VBScript dropper", "incident": "axios"}, {"value": "%TEMP%\\6202033.ps1", "context": "Windows - PowerShell payload", "incident": "axios"}, {"value": "/Library/Caches/com.apple.act.mond", "context": "macOS - persistent binary", "incident": "axios"}, {"value": "/tmp/ld.py", "context": "Linux - Python payload", "incident": "axios"} ], "registry_keys": [ {"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftUpdate", "context": "Persistence via system.bat", "incident": "axios"} ], "user_agents": [ {"value": "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)", "context": "Legacy XP user-agent in beacon", "incident": "axios"} ], "c2_protocol": [ {"value": "POST packages.npm.org/product0", "context": "macOS payload request", "incident": "axios"}, {"value": "POST packages.npm.org/product1", "context": "Windows payload request", "incident": "axios"}, {"value": "POST packages.npm.org/product2", "context": "Linux payload request", "incident": "axios"} ], "cdns_affected": [ {"value": "unpkg.com", "context": "Serving malicious as default", "incident": "axios"}, {"value": "cdn.jsdelivr.net", "context": "Available (not default)", "incident": "axios"}, {"value": "esm.sh", "context": "Available", "incident": "axios"}, {"value": "cdn.skypack.dev", "context": "Available", "incident": "axios"} ] }, "copycat": { "c2_domains": [ {"value": "admondtamang.com.np", "context": "Attacker-controlled domain", "incident": "mgc"} ], "c2_ips": [ {"value": "104.21.96.101", "context": "admondtamang.com.np - Cloudflare", "incident": "mgc"}, {"value": "172.67.176.148", "context": "admondtamang.com.np - Cloudflare", "incident": "mgc"} ], "c2_urls": [ {"value": "gist.githubusercontent.com/admondtamang/814132e794e5d007e9b8ebd223a9494f", "context": "Gist-hosted payload", "incident": "mgc"} ], "npm_packages": [ {"value": "1cb6db6774a20d425d3d01f1374042921d94d662", "context": "mgc@1.2.4 (SHA-1)", "incident": "mgc"} ], "tarballs": [ {"value": "40aa5d412a50db79a814ac5ad65237745727cb4777843d66a760f64285a5a3e6", "context": "mgc-1.2.4.tgz (SHA-256)", "incident": "mgc"} ], "malware_files": [ {"value": "ff7adbc7e1984eb326e58944a44fb35a023ccaf1e31309c27cea65ad866a7751", "context": "mgc/bin/setup.cjs (SHA-256)", "incident": "mgc"}, {"value": "cb5d0c4d6c9ec9e21c91a457a3239cd15c78f0c7668e422701cf44ceb6a3f8fd", "context": "gist/setup.js (SHA-256)", "incident": "mgc"} ], "attacker_accounts": [ {"value": "admondtamang (GitHub ID: 22430270)", "context": "Believed to be attacker's own account", "incident": "mgc"}, {"value": "admond (npm)", "context": "admondtamang@gmail.com", "incident": "mgc"} ], "malicious_commits": [ {"value": "92d93d39ac6dbdbebff9ed4be980fb48f9e2b056", "context": "admondtamang/module-generate-cli", "incident": "mgc"} ], "gists": [ {"value": "814132e794e5d007e9b8ebd223a9494f", "context": "admondtamang - payload host", "incident": "mgc"} ] } }