IOC Radar
TLP:WHITE6 IOCs

From Axios NPM Supply Chain Attack to Tracking DPRK’s BlueNoroff

DC
DCSO CyTec Blog
Published April 2, 2026Original Report

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYunknownINFRASTRUCTURE23.254.167.216http://sfrclak.com:80…http://sfrclak.comCAPABILITYunknownVICTIMunknown
Adversary
Infrastructure(6)
Capability
Victim

Attack Flow7 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1195
1/7
Supply Chain Compromise
ActionCompromise Axios NPM package
A malicious version of the widely used NPM package 'Axios' was published, containing a postinstall script that executes without user interaction.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise6

TypeIndicatorConfidenceScoreFirst Seen
IP23.254.167.216
intel-blogmalwarenetwork
High
58
Jun 2, 26
URLhttp://sfrclak.com:8000/6202033
intel-blognetworksupply-chain
High
58
Jun 2, 26
URLhttp://sfrclak.com
intel-blogmalwarenetwork
High
58
Jun 2, 26
IP142.11.206.73
intel-blogmalwarenetwork
High
58
Jun 2, 26
IP23.254.203.244
indicatorintel-blognetwork
High
58
Jun 2, 26
URLhttp://sfrclak.com:8000
intel-blognetworksupply-chain
High
58
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph6 total IOCs
IPURL
IP3URL3REPORTFrom Axios NPM Supply Chai
scroll to zoom · drag to pan · click IOC to open