Full Report
Recent supply chain attacks have highlighted an urgent need for organizations to shift from a reactive security posture to a preemptive exposure management strategy. Learn why endpoint detection and response tools don’t have you covered when highly privileged developer credentials get exposed.Key takeaways:Recent supply chain attacks are emblematic of an insidious new trend in cybercrime: Threat actors are increasingly using supply chain attacks to harvest highly privileged developer credentials and create a “Developer Credential Economy,” a lucrative black market for API keys, secrets, and cloud access tokens. Relying on execution-layer detection, such as EDR, is insufficient against supply chain threats because these tools lack visibility into the ephemeral CI/CD environments where credential theft and weaponization actually occur. Neutralizing the systemic infrastructure risk created by the Developer Credential Economy requires a continuous threat exposure management (CTEM) approach to proactively identify and eliminate exposure conditions, such as long-lived access tokens, before an attacker can exploit them.BackgroundThe convergence of the Anthropic Claude Code source leak and the Sapphire Sleet (UNC1069) Axios compromise has collapsed the boundary between traditional malware and systemic infrastructure risk. Our analysis of the exposure intelligence data reveals that the cluster of supply chain attacks observed in March 2026 should not be viewed as disparate incidents; rather, they signify the new operational reality of a high-velocity “Developer Credential Economy,” a black market for highly privileged developer credentials.In this new reality, attackers are no longer just hacking software supply chains; they’re systematically using supply chain attacks to harvest the very keys to the kingdom from the tools security teams trust most.The myth of the EDR singularityMicrosoft and Google have independently attributed the recent Axios compromise to a North Korean state actor. Industry narratives have framed the compromise, which backdoored an npm-managed JavaScript library package with 100 million weekly downloads, as a victory for endpoint detection and response (EDR). The logic seems simple: EDR caught and stopped the payload at execution, therefore EDR is the solution.This is a dangerous miscalculation. The concept of an EDR singularity, where Endpoint Detection and Response (EDR) solutions become so comprehensive, intelligent, and autonomous that they negate the need for virtually all other security tools and human intervention at the endpoint is a powerful and seductive myth dominating the current security landscape. This narrative suggests that, through advancements in machine learning, behavioral analytics, and automated response capabilities, a single, all-encompassing EDR platform will eventually unify and solve the bulk of security challenges.Relying on EDR to stop a supply chain attack is like relying on a smoke detector while storing open canisters of gasoline in your kitchen. Our analysis shows that by the time an EDR agent fires on the WAVESHAPER.V2 RAT, the true damage — the exposure — has already occurred. This demonstrates the urgent need for organizations to shift from a reactive to a preemptive cybersecurity posture.EDR is reactive: It monitors execution, not the conditions that allow it. It cannot see the misconfigured GitHub Action or the over-privileged npm token that enabled the compromise in the first place.The coverage gap: EDR has zero visibility into the ephemeral CI/CD runners and build environments where these credentials are stolen. In the Developer Credential Economy, the theft happens where the agents aren't.The fail-deadly speed: In the Axios campaign, the malware was designed to exfiltrate secrets and self-destruct within seconds; typically faster than an EDR alert can be triaged by a human analyst.EDR evasion is not theoretical: EDR evasion is an active, industrialized capability. Threat actors routinely bypass kernel-level EDR through bring your own vulnerable driver (BYOVD) attacks, where adversaries load legitimately signed but vulnerable kernel drivers to disable or blind EDR agents.Targeting analysis: Mapping the credential generation layerAdversaries are increasingly compromising and weaponizing critical chokepoint tools used by developers and security teams, like the Axios npm package and the KICS IaC scanner. This trend, which involves moving upstream in the development lifecycle, reveals a distinct division of labor within this emerging threat economy. Actor / GroupOperational focusPrimary targetVertical ImpactTeamPCPGeneration layer: Bulk credential harvesting via tool exploitationTrivy, LiteLLM, KICS (Security/Dev tools)Global SaaS & AI infrastructureSapphire SleetWeaponization layer: State-sponsored exfiltration and revenue generationAxios, npm ecosystemFintech, Crypto, GovernmentGlassWormOpportunistic layer: High-volume automated theftVSCode extensions, OpenVSXBlockchain & Web3Actors are successfully exploiting exposures, such as long-lived tokens, overprivileged CI/CD runners, and unpinned dependencies, to force organizations into a reactive posture.Exposure intelligence: The shift to CTEMTo escape this pattern, defenders must shift from merely reacting to malware to adopting continuous threat exposure management (CTEM) as a preemptive strategy.While AI companies market their frontier models as security tools, the recent leak of 512,000 lines of Claude source code demonstrates that AI is just another asset with its own massive exposure profile.A mature CTEM program, powered by exposure intelligence, focuses on the preemptive actions that actually reduce risk:Phase 1: Hardening (The Kill Switch): Organizations must audit lockfiles and kill lifecycle hooks (--ignore-scripts) immediately. This eliminates the postinstall vector that Sapphire Sleet used to deploy WAVESHAPER.V2.Phase 2: Human/Identity defense: We must eliminate long-lived tokens. The Axios compromise succeeded because a single stolen token bypassed every security control. Transitioning to short-lived, OIDC-based automation is an exposure management requirement, not a nice-to-have.Phase 3: Counter-recon: Use Tenable One to map your full attack surface, including the CI/CD pipelines and cloud-native build stages that EDR cannot reach.The bottom lineThe Axios and Anthropic events are a wake-up call for the C-suite. Theoretical severity and reactive detection (EDR) are insufficient against an adversary that has industrialized the theft of developer identities.Exposure management should be your first and primary line of defense. By identifying and remediating the exposure conditions that supply chain attacks depend on, we can stop the payload before it ever reaches the endpoint.Get more informationRead the Tenable Research Special Operations Advisory on the Axios npm CompromiseAccelerate your preemptive security with Tenable’s agentic engine, Hexa AIExplore Tenable One for Exposure ManagementJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Tool/Technique: WAVESHAPER.V2 (Supply Chain Credential Exfiltration)
## Overview
WAVESHAPER.V2 is a Remote Access Trojan (RAT) utilized in supply chain attacks to facilitate high-velocity credential theft. It is primarily deployed through compromised developer tools and ecosystem packages (such as npm) to harvest highly privileged secrets, API keys, and cloud access tokens from build environments.
## Technical Details
- **Type:** Malware (Remote Access Trojan)
- **Platform:** Cross-platform (observed in JavaScript/npm ecosystems and CI/CD environments)
- **Capabilities:** Secret exfiltration, self-destruction, EDR evasion, and infrastructure compromise.
- **First Seen:** Observed in active campaigns as of March 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- **[TA0005 - Defense Evasion]**
- [T1070 - Indicator Removal on Host]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
## Functionality
### Core Capabilities
- **Credential Harvesting:** Specifically designed to target and exfiltrate highly privileged developer credentials, API keys, and OIDC tokens.
- **Rapid Exfiltration:** Optimized for speed to exfiltrate data before human analysts can triage EDR alerts.
- **Lifecycle Hook Exploitation:** Leverages npm `postinstall` scripts to execute automatically upon package installation.
### Advanced Features
- **Ephemeral Operation:** Designed to self-destruct within seconds of execution to minimize the footprint on the host system.
- **EDR Evasion:** Employs "Bring Your Own Vulnerable Driver" (BYOVD) techniques to blind or disable kernel-level endpoint security agents.
- **CI/CD Targeting:** Operates within ephemeral CI/CD runners where traditional security agents (EDR) are often absent or lack sufficient visibility.
## Indicators of Compromise
- **File Names:** Frequently hidden within `node_modules` or distributed as part of the `Axios` npm package (specifically versions compromised in March 2026).
- **Network Indicators:** Communication with suspected North Korean (DPRK) infrastructure [C2 domains defanged].
- **Behavioral Indicators:**
- Execution of unexpected shell scripts during `npm install`.
- Rapid outbound network connections immediately following package installation.
- Presence of legitimately signed but known vulnerable kernel drivers (BYOVD).
## Associated Threat Actors
- **Sapphire Sleet (UNC1069):** A North Korean state-sponsored actor focused on revenue generation and exfiltration.
- **TeamPCP:** Focused on the "Generation Layer" and bulk credential harvesting.
- **GlassWorm:** Involved in opportunistic, high-volume automated theft.
## Detection Methods
- **Behavioral Detection:** Monitoring for unauthorized execution of `postinstall` scripts or unexpected network activity from CI/CD runners.
- **Audit Logs:** Reviewing GitHub Actions logs and npm audit logs for unpinned dependencies or unauthorized token usage.
- **Code Integrity:** Utilizing SCA (Software Composition Analysis) to detect backdoored versions of popular libraries like Axios.
## Mitigation Strategies
- **Kill Lifecycle Hooks:** Use the `--ignore-scripts` flag during npm installations to prevent the execution of malicious post-install payloads.
- **Identity Hardening:** Replace long-lived developer tokens with short-lived, OIDC-based (OpenID Connect) authentication for CI/CD pipelines.
- **Dependency Pinning:** Audit and pin all sub-dependencies in lockfiles to prevent the automatic ingestion of compromised upstream packages.
- **Continuous Threat Exposure Management (CTEM):** Shift to a proactive posture that identifies over-privileged credentials and misconfigured pipelines before exploitation.
## Related Tools/Techniques
- **BYOVD (Bring Your Own Vulnerable Driver):** Technique used to neutralize endpoint defenses.
- **Developer Credential Economy:** The broader market for stolen API keys and secrets.
- **Chokepoint Tool Weaponization:** Targeting tools like Trivy, LiteLLM, and KICS to harvest credentials at the source.