Strobes VI Now Tracks Supply Chain Attacks, Ransomware Groups, and Threat Actors
On March 31, 2026, a North Korean state actor hijacked one of the most widely used JavaScript packages in the world and turned it into a weapon. Axios, with over 100 million weekly downloads, was compromised for roughly three hours. That was enough. The poisoned versions silently installed a cross-platform remote access trojan on every system that ran npm install during the attack window. No CVE existed. No vulnerability scanner had a signature for it. The malware self-destructed after execution, wiping its own traces from node_modules.
The Axios incident was not an isolated event. It was the latest in an accelerating pattern: supply chain attacks doubled in 2025, global losses reached $60 billion, and open-source malware detections surged 73% year-over-year. The organizations that weathered these storms were not the ones with the most scanners. They were the ones with continuous visibility into the threat actors, malicious packages, and ransomware groups targeting their ecosystem.
That is exactly why Strobes has expanded Strobes Vulnerability Intelligence (VI) with three new modules: a Supply Chain Incidents Database, a Threat Actors Database, and a Ransomware Groups Tracker. This is not another feed to monitor. It is an intelligence layer designed to power proactive exposure management.
The Axios Attack: Anatomy of a Supply Chain Zero-Day
Understanding why this upgrade matters requires understanding what happened with Axios, because it exposed every weakness in the traditional security model.
The attack began when the threat actor, attributed to Sapphire Sleet by Microsoft and UNC1069 by Google Threat Intelligence Group, compromised the npm account of the primary Axios maintainer. They changed the registered email to a Proton Mail address under their control and used a stolen long-lived npm access token to publish directly to the registry, completely bypassing the project's GitHub Actions CI/CD pipeline.
Within a 39-minute window, two poisoned versions went live: axios@1.14.1 and axios@0.30.4. Both were tagged as latest and legacy respectively, meaning any fresh npm install would pull the compromised code by default. The malicious versions introduced a single new dependency, plain-crypto-js@4.2.1, which contained an obfuscated Node.js dropper that executed automatically via npm's postinstall hook. No user interaction required.
The dropper checked the operating system and downloaded platform-specific payloads from a command and control server at sfrclak[.]com:8000. Windows, macOS, and Linux were all targeted with dedicated RAT implants sharing an identical C2 protocol and command structure. After execution, the malware deleted itself and replaced its own package.json with a clean version to evade forensic detection.
The malicious packages were live for approximately two hours and fifty-four minutes before npm removed them. Given Axios's download velocity, particularly during peak development hours in the Asia-Pacific region, that window was sufficient for potentially tens of thousands of compromised installations.
This was not an opportunistic attack. As our technical breakdown of the Axios compromise detailed, the malicious dependency was staged 18 hours in advance, three separate payloads were pre-built for three operating systems, and every artifact was designed to self-destruct. The SANS Institute noted that this attack may be connected to the broader TeamPCP campaign, which compromised the Trivy vulnerability scanner, the KICS infrastructure-as-code scanner, and the LiteLLM AI proxy library on PyPI in the weeks preceding it.
The Numbers: Supply Chain Attacks Are No Longer Edge Cases
The Axios incident was dramatic, but it was not exceptional. The data from 2025-2026 makes the scale of the problem unmistakable.
Supply chain attacks doubled year-over-year in 2025, according to research from IBM X-Force and the Cipher x63 Unit. Global losses reached $60 billion. The IBM 2026 X-Force Threat Intelligence Index reported that large supply chain and third-party compromises nearly quadrupled since 2020, with vulnerability exploitation becoming the leading cause of attacks at 40% of all observed incidents.
The open-source ecosystem took a particularly severe hit. ReversingLabs' 2026 Software Supply Chain Security Report documented 877,522 malicious packages detected across open-source repositories, with malware up 73% compared to the prior year. The Cipher x63 Unit found that 22.5% of all security breaches recorded in 2025 involved third parties or vendors, twice the proportion seen in 2024.
Perhaps the most alarming statistic: organizations take an average of 254 days to detect and contain a breach originating in the supply chain. The average cost per incident reached 4.33 million euros. These are not numbers that can be addressed with quarterly scans and periodic penetration tests.
Ransomware compounded the problem. Cyble recorded 6,604 ransomware attacks in 2025, a 52% increase from 2024. Active ransomware groups surged 49% year-over-year, according to IBM, as smaller operators leveraged leaked tooling and AI to lower barriers to entry. The ecosystem fragmented, making signature-only threat tracking increasingly unreliable.
Why Visibility Into Threats Is Now a Prerequisite
Here is the reality most security programs still have not internalized: when the Axios attack dropped, traditional vulnerability scanners were useless. There was no CVE. There was no signature. The malicious code arrived through a trusted channel and self-destructed before detection. A vulnerability scanner would have reported a clean bill of health on a system actively exfiltrating credentials to a North Korean C2 server.
The organizations that responded effectively were the ones that had three things in place: real-time awareness of supply chain incidents as they were disclosed, knowledge of which threat actors were targeting their industry and technology stack, and the ability to rapidly assess their exposure across the entire environment. That is not vulnerability management. That is exposure assessment, and it requires a fundamentally different approach to threat intelligence.
Most organizations today consume threat intelligence as a separate feed, disconnected from their asset inventory, their dependency graph, and their remediation workflows. They may know that a supply chain attack occurred, but they cannot answer the question that matters: are we affected, and what do we do about it? That gap is what Strobes VI is designed to close.
Three New Modules on Strobes VI
Strobes has added three new intelligence capabilities to the Vulnerability Intelligence portal. Each is designed not just as a reference database, but as an operational input into the Continuous Threat Exposure Management (CTEM) workflow.
Supply Chain Incidents Database
The Supply Chain Incidents Database tracks 224,487 incidents across seven package ecosystems: npm, PyPI, RubyGems, Go, crates.io, NuGet, and Packagist. Every incident includes the attack type (malware, backdoor, typosquat, dependency confusion), indicators of compromise with full SHA256 hashes, associated domains and IP addresses, and a timeline of discovery and remediation.
The Axios incident (MAL-2026-2307), for example, is catalogued with its complete IOC set: the two SHA256 hashes for the malicious packages, the C2 domain sfrclak.com, and the C2 IP address 142.11.206.73. Security teams can search by ecosystem, attack type, or date range to identify incidents affecting their specific technology stack.
This is the same pattern we documented when a single phishing email compromised 18 npm packages affecting billions of installs. The supply chain attack surface is vast, and having a searchable, continuously updated database of incidents is a baseline requirement for any organization running open-source software.
Threat Actors Database
The Threat Actors Database tracks 1,251 threat actors including APT groups, cybercriminal organizations, and state-sponsored entities. Each entry includes known aliases, country attribution, associated campaigns, and the vulnerabilities they are known to exploit.
The Axios attack, for instance, was attributed to UNC1069 (a financially motivated North Korean group active since at least 2018) and Sapphire Sleet (Microsoft's designation for the same cluster). Understanding that this actor has a history of targeting developer tooling and cryptocurrency infrastructure changes the risk calculus for organizations in those sectors. It transforms a supply chain incident from a generic alert into a targeted threat that demands a specific response.
With the IBM X-Force 2026 report documenting a 49% surge in active ransomware and extortion groups, the ability to track which actors are operating in your industry and geography is no longer a luxury reserved for organizations with dedicated threat intelligence teams.
Ransomware Groups Tracker
The Ransomware Groups Tracker monitors active ransomware operations including victim data, tactics, techniques, and operational patterns. In 2025, Qilin emerged as the dominant ransomware group, claiming 17% of all victims. The manufacturing sector was the most heavily targeted, accounting for 29% of attacks, followed by technology and retail.
For security leaders conducting ransomware readiness assessments, this tracker provides the operational context that generic threat feeds lack: which groups are actively targeting your sector, what access methods they prefer, and how their operations are evolving. The trend toward brand mutation and rapid rebranding, as documented by Cyble's tracking of groups like Nova/RALord, makes continuous monitoring essential for maintaining an accurate threat picture.
From Intelligence to Action: Proactive Agents for Threat Exposure
Databases and dashboards are necessary, but they are not sufficient. The real shift is in how this intelligence gets operationalized.
When the Axios compromise broke, our team demonstrated what this looks like in practice. As detailed in our post on how Strobes AI handled the Axios incident, the platform went from initial alert to a complete incident response report in under 30 minutes. That report included 12 novel findings that went beyond any public advisory, remediation tasks assigned to the right teams, and a full blast radius map across every affected repository. No manual dependency graph analysis. No spreadsheet triage.
This is the operational model that exposure assessment enables, and it is where Strobes is headed next. We are building proactive agents that continuously scan entire ecosystems for threat exposures rather than running periodic vulnerability scans that miss the threats that matter most. When the next Axios-scale incident drops, the system will map the blast radius, identify affected assets, assign remediation tasks, and generate incident response reports autonomously.
This is not incremental improvement over vulnerability scanning. It is a fundamental change in the operating model for security teams. Instead of reacting to CVEs after they are published (which, in the case of supply chain attacks, may be days or weeks after initial compromise), proactive agents monitor the threat landscape continuously and trigger exposure assessments the moment a new supply chain incident, threat actor campaign, or ransomware operation is identified.
The cybersecurity trends for 2026 point in one direction: attacks are getting faster, broader, and harder to contain after initial access. The only defensible response is to move from periodic assessment to continuous monitoring and automated response.
Key Takeaways for Security Leaders
The Axios attack and the broader supply chain threat landscape demand concrete action, not just awareness. Here is what security leaders should prioritize:
Pin your dependencies. Floating version ranges like ^1.14.0 are how supply chain attacks propagate. Use exact pins, commit your lockfiles, and run npm ci instead of npm install in CI/CD pipelines. A seven-day cooldown policy on new package versions would have prevented eight out of ten major 2025 supply chain attacks.
Maintain a current SBOM. You cannot assess exposure to a supply chain compromise if you do not know what software your organization depends on. CycloneDX and SPDX are both mature standards. Organizations with maintained SBOMs identified their exposure to incidents like Log4Shell in minutes instead of days.
Integrate threat intelligence into your CTEM workflow. Supply chain incidents, threat actor campaigns, and ransomware operations should feed directly into your exposure management process, not sit in a separate dashboard. The new modules on Strobes VI are designed for exactly this integration.
Move beyond vulnerability scanning to exposure assessment. When there is no CVE, no signature, and the malicious code self-destructs after execution, the only way to determine impact is to map the blast radius against your actual dependency graph and attack surface. This is the fundamental difference between vulnerability management and exposure assessment.
Track the actors, not just the vulnerabilities. Knowing that Sapphire Sleet targets developer tooling and cryptocurrency infrastructure changes your defensive posture in ways that a CVSS score never will. The Threat Actors Database on Strobes VI gives every security team access to this context.
The supply chain is now the primary attack surface for modern organizations. The tools and intelligence to defend it need to match the speed and sophistication of the attacks. Strobes VI's new modules are a step in that direction, and the proactive agents we are building will take it further. Because the next Axios-scale incident is not a matter of if, but when.