Securing the Supply Chain: How SentinelOne®’s AI EDR Stops the Axios Attack Autonomously

On March 31, 2026, a DPRK-linked actor (UNC1069 / Sapphire Sleet) compromised the npm maintainer credentials for Axios and published two backdoored releases that installed a cross-platform RAT (WAVESHAPER.V2 via the malicious plain-crypto-js package), resulting in an estimated ~600,000 downloads during a ~three-hour exposure window; the report provides IOCs (sfrclak.com, 142.11.206.73, file paths, email addresses), detection telemetry, SentinelOne-specific containment and hunting playbooks, and actionable remediation steps (credential rotation, revoke legacy npm tokens, pin dependencies, enable Live Security Updates, and extend EDR to developer/CI environments).