On March 30, someone published a clean package to npm. It contained the real crypto-js source code, no funny business. Its sole purpose was to look legitimate.
Eighteen hours later, the same account published a version with a different goal.
The attack on Axios, the popular JavaScript HTTP client with 100 million weekly npm downloads, was not opportunistic. According to Google's Threat Intelligence Group (GTIG), the operation was staged with the patience of a professional team. UNC1069 — a North Korea-nexus threat actor active since at least 2018 — first published plain-crypto-js@4.2.0, a clean copy of the legitimate library, to establish npm publishing history. Then, at 23:59 UTC on March 30, it published version 4.2.1: the same code with a post-install hook that dropped a remote access trojan (RAT).
Socket flagged the malicious package within six minutes. By the time axios versions 1.14.1 and 0.30.4 appeared on npm — published by the attacker using a compromised maintainer account — the security community was already tracking the call signatures.
The RAT beacons to a command-and-control domain, sfrclak.com, every 60 seconds using a User-Agent string that is a tell: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0). The cipher stack compounds the oddity. The payload uses XOR with a key derived from OrDeR_7077 combined with a constant — 333 — followed by reversed Base64 encoding. According to Wiz, the RAT was observed executing in approximately 3 percent of affected environments.
What makes this operation distinctive is not the malware — RATs delivered via npm packages are not new — but the operational discipline. The attacker bypassed the GitHub Actions OIDC workflow Axios uses for legitimate releases. Instead of authenticating through the automated CI/CD pipeline, they published directly via npm CLI using a long-lived access token. OIDC-based trusted publishing, the mechanism npm has been pushing as the solution to exactly this class of attack, was bypassed because the token it was meant to replace had outlived its usefulness as a security boundary.
The maintainer, when notified, discovered a problem: they could not revoke the attacker's access. As Socket reported, the attacker "permissions exceed their own." The maintainer was locked out of their own package.
The OpenClaw ecosystem was in the blast radius
This is where the story hits my beat directly. Two packages with OpenClaw-adjacent names appeared in Wiz's IOC table alongside the Axios and plain-crypto-js entries: @shadanai/openclaw (versions 2026.3.28-2, 2026.3.28-3, 2026.3.31-1, and 2026.3.31-2) and @qqbrowser/openclaw-qbot@0.0.130. Both distributed the same RAT, per Wiz. The latter package name is its own story: literally "qbot," a reference that requires no editorial interpretation.
These packages do not appear to be official OpenClaw project releases. Package name squatting — registering packages that look like legitimate projects to harvest downloads or inject code — is a known pattern in the npm ecosystem. The malware is identical to the Axios payload; whoever controlled these packages had access to the same RAT infrastructure UNC1069 used. StepSecurity's Harden-Runner — a CI security tool used by over 12,000 public repositories — detected the C2 callback to sfrclak.com:8000 during a routine CI run in the Backstage repository, which is what connected the dots across what might otherwise have been treated as isolated incidents.
Trusted publishing was not the fix
The Axios maintainer had, in fact, been thinking about this. An open issue on the Axios GitHub repository since September 2025 asked: "Would you consider adopting trusted publishing to help secure the npm ecosystem?" The question was unresolved when the attack happened.
Trusted publishing — where a package is published exclusively through an OIDC workflow tied to a GitHub Actions environment — is npm's recommended path for reducing token-based attack surface. It works when tokens don't exist to steal. The Axios attack illustrates its limits: the attacker didn't need to compromise the CI/CD pipeline. They compromised the human layer — the maintainer account — and used a token that should have been retired years ago.
Huntress documented the mechanism: "The attacker bypassed the normal GitHub Actions OIDC-based CI/CD publishing workflow by publishing directly via the npm CLI using a long-lived access token." The token predated the OIDC workflow. It remained valid because revoking it requires the maintainer to identify every system and CI job that uses it — a dependency mapping problem that is, ironically, exactly the class of problem agent infrastructure is supposed to help solve.
What WAVESHAPER.V2 means for the ecosystem
Google GTIG attributes the RAT to WAVESHAPER.V2, a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously linked to UNC1069. The npm delivery mechanism is new; the implant underneath is not. UNC1069 has been operating since at least 2018 and is financially motivated — the Lazarus Group's money pipeline is well-documented.
The Hacker News coverage included a framing worth taking seriously: "The Axios attack should be understood as a template, not a one-time event." The operational pattern — establish legitimacy, stage quietly, drop the payload — does not require deep technical sophistication. It requires patience and a maintainer account with outdated access patterns.
For the OpenClaw ecosystem, the @shadanai/openclaw and @qqbrowser/openclaw-qbot packages are the evidence that this template has already been copied. The same RAT infrastructure got repurposed: Wiz's IOC table lists both packages alongside the Axios and plain-crypto-js entries. The malware is identical. What is clear from public reporting is that npm's trust model depends on maintainer account hygiene that the platform has no visibility into and that the industry has no systematic way to audit.
The blast radius was 3 percent of affected environments, per Wiz. That number will be cited as evidence the attack failed. Three percent of 100 million weekly downloads is not a rounding error.
StepSecurity's AI Package Analyst flagged the compromise. Simon Willison's detailed technical breakdown — which confirmed the attack timeline, the cipher stack, and the @shadanai/openclaw connection — was published the same day. The speed of the technical community's response is the one reassuring thing in this story. So is the fact that the attacker pre-staged their operation over 18 hours and still got caught within minutes of the malicious publish.
The speed of detection does not fix the underlying problem.
