ESET APT Report: Sandworm's DynoWiper Hits Polish Energy, Lazarus Compromises Axios npm

ESET's October 2025-March 2026 reporting window captures one data point that defines a category — developer trust is now a strategic, state-level target — and pairs it with a destructive incident in EU-NATO energy that says the older category, sabotage of critical infrastructure, has not been replaced.

BRATISLAVA, SLOVAKIA — ESET published its latest APT Activity Report covering the October 2025 through March 2026 data period, documenting state-aligned activity from China, North Korea, Russia, and Iran that, per ESET, tracked closely to each government's economic and security priorities.

Two findings carry the most defender weight. A December 2025 destructive incident at a Polish energy company, which ESET attributes with medium confidence to Sandworm using a new wiper named DynoWiper. And an end-of-March 2026 compromise of the npm package axios — a JavaScript HTTP client with roughly 100 million weekly downloads — by attackers ESET ties to the Lazarus umbrella, executed through a fake Slack workspace and impersonation of a company founder to gain the lead maintainer's trust.

What Happened

ESET's APT Activity Report for the October 2025 through March 2026 data window reads as a snapshot of state-aligned cyber activity calibrated to each sponsor's geopolitical agenda. Per ESET, China-, North Korea-, Russia-, and Iran-aligned operations tracked closely to each government's economic and security priorities during the period, with the company's telemetry repeatedly catching the same theme — targeting follows policy. The two findings that carry the most operational weight for defenders are a destructive incident in EU-NATO critical infrastructure and a developer-supply-chain compromise that converges with a campaign defenders saw taken down the same week.

In December 2025, ESET documented a destructive incident at a Polish energy company, which it attributes with medium confidence to Sandworm — the Russia-aligned actor associated with GRU Unit 74455 — and identifies a new wiper used in the operation, which it names DynoWiper. Then at the end of March 2026, ESET documented the compromise of the npm package axios, a JavaScript HTTP client whose roughly 100 million weekly downloads place it among the most-pulled libraries in the JavaScript ecosystem. ESET ties the operation to the Lazarus umbrella and describes the tradecraft in specific terms: the operator built a fake Slack workspace and impersonated a company founder to gain the trust of axios's lead maintainer.

DynoWiper and Polish Energy: Sandworm Has Not Stopped

The Polish energy incident is the kind of finding that, on its own, would be the lede of an ESET report. A destructive wiper deployed at a Western critical-infrastructure energy company in the middle of winter is, by any measure, a significant escalation event — and ESET's medium-confidence attribution to Sandworm restates a pattern Western defenders have been tracking since 2015. Sandworm has not been disrupted out of existence by sanctions, by indictments, or by the operational tempo of the war in Ukraine. The naming of DynoWiper as a new wiper family signals that the group is still investing in destructive-malware development, not coasting on existing tools. ESET's reporting also continues to document Sandworm activity inside Ukraine across the period, which gives the Polish incident a clear regional frame: it is part of a sustained Russia-aligned destructive program against EU-NATO critical infrastructure, of which the cyber dimension is one front. Defenders of European energy infrastructure should treat the DynoWiper finding as evidence that the threat model documented in earlier rounds of Russia-aligned APT activity — adversaries that align targeting to current geopolitics, with months-long lag at most — applies as much to wiper deployment as to espionage.

Axios and the Lazarus Maintainer Operation

The axios finding is the one that will, fairly, dominate coverage of this ESET report — and it deserves to. axios is among the most-downloaded HTTP clients in the JavaScript ecosystem, embedded as a transitive dependency in countless web applications, mobile back-ends, and CI/CD pipelines. ESET's description of the tradecraft is what elevates the finding from supply-chain risk to a developer-trust event: the operator did not exploit a vulnerability in the package or hijack a stolen credential. They built a fake Slack workspace and impersonated a company founder, then used those props to gain the trust of axios's lead maintainer. Trust is the attack surface. That places the operation alongside the cluster of developer-targeting campaigns The CyberSignal has tracked across 2026 — the Lazarus RemotePE memory-only RAT targeting finance and crypto, the Kimsuky PebbleDash LLM-developed malware campaign against defense-sector targets, the Trapdoor cross-ecosystem registry-poisoning campaign, and the node-ipc npm stealer hidden behind a dead maintainer's domain. The axios compromise is the highest-leverage instance to date of a recurring pattern: state-aligned operators are increasingly treating individual maintainers as the target.

The Same Week as the Glassworm Takedown

The axios finding lands the same week as a published takedown — the Glassworm botnet that CrowdStrike, Google, and Shadowserver dismantled by sinkholing its Solana-anchored command-and-control — and read together the two stories define a category. Glassworm was a Russia-aligned developer-targeting operation that defenders saw disrupted; the axios compromise is a freshly attributed DPRK-aligned developer-targeting operation that defenders saw exposed. The same fortnight that included the Shai-Hulud npm worm and its copycat clones has produced both a takedown and a fresh disclosure in the same threat category. The editorial conclusion is unavoidable: developer trust is the strategic target multiple states are now competing for. The takedown is welcome, and the fresh disclosure is what comes next.

Scope and Impact

The scope of the ESET report extends beyond the two headline findings. ESET documents continued geopolitical-priority targeting across Asia — where governmental organizations, strategic industries, and advanced technology sectors are the consistent China-aligned focus — and the Middle East, where ESET names Israel as the principal focus of activity in the period. Recurring cross-region themes include targeting of drone manufacturers and the collection of oil-shipment intelligence, both consistent with the report's framing that state-aligned operators are calibrated to their sponsors' economic and security agendas rather than acting on opportunism. Iran-aligned activity in ESET telemetry shifted over the period in ways the company correlates with broader regional dynamics, and ESET notes the data window captures only what its telemetry surfaces, not the full universe of state-aligned activity over six months.

Several specifics around the headline findings are not yet public. ESET's report identifies a December 2025 destructive incident at a Polish energy company but does not, in the publicly reported summaries available at the time of writing, name the affected company. The exact date the ESET PDF or WeLiveSecurity write-up was released — and the version ranges and indicators of compromise for DynoWiper — should be sourced directly from ESET's bulletin before defenders rely on them for hunting. On the axios side, whether the package's maintainers have publicly disclosed the compromise independently of ESET, whether CISA has added a related Known Exploited Vulnerabilities entry, and whether other JavaScript HTTP-client packages were targeted by the same operator have not been confirmed. The 'medium confidence' attribution language ESET uses on Sandworm/DynoWiper is the company's own characterization and should be carried through downstream reporting without escalation; the same applies to the Lazarus-umbrella framing on axios, which ESET describes as ties rather than as US-government-style attribution.

The framing that ties the report together — that 2026 state-aligned cyber activity is policy-driven and increasingly converges on developer trust as a target — is consistent with the categories The CyberSignal has tracked across the year. ESET's findings here are the operational evidence behind that thesis: a destructive wiper deployed in EU-NATO critical infrastructure, a maintainer-trust compromise against one of the JavaScript ecosystem's most depended-upon packages, and a recurring pattern of drone-manufacturer and oil-shipment targeting. None of the findings is fully self-contained in the report; each is a checkpoint in a longer campaign defenders should expect to continue past March 2026.

Response and Attribution

For JavaScript ecosystem maintainers and consumers, the immediate action is concrete. Audit your pinned axios versions against any ESET-published or maintainer-published indicators of compromise once available, prioritizing CI/CD-pinned versions and dependency-lock files updated in the sixty days preceding the end-of-March 2026 compromise window. Treat any inbound Slack-workspace invite or founder-impersonation contact targeting a maintainer or repository owner as a known DPRK-aligned tradecraft signal — the axios operation establishes the playbook publicly, and it should now be part of every JavaScript open-source maintainer's threat model. Open-source projects with small maintainer teams should formalize a verification step before accepting unsolicited high-trust contact from purported company founders or sponsors, particularly via newly created Slack workspaces.

For European critical-infrastructure defenders — especially energy — the action is to re-baseline detections for Sandworm-family wiper tradecraft using ESET's DynoWiper indicators once published. The December 2025 Polish energy incident is the kind of operational evidence that should refresh the assumption set: Sandworm continues to operate against EU-NATO critical infrastructure, is investing in new destructive tooling, and is not bounded by the war in Ukraine. National CERTs and ISAC equivalents should expect to receive — and should actively pull — ESET's indicators of compromise for DynoWiper as they are released, and energy-sector incident-response plans should be exercised against the wiper-deployment scenario rather than only the encryption-and-ransom scenario.

For CISOs broadly, the editorial counterpart framing matters. The axios compromise paired with the Glassworm takedown shows two things at once: that the takedown machinery is working in the developer-trust category, and that the underlying attacker pipeline is well-supplied. Treating either finding in isolation will understate the strategic shift. ESET's report should land on the desk as a single document with two operational takeaways — wiper readiness in critical infrastructure and developer-trust threat modeling in software supply chains — rather than as two separate items in a weekly threat brief.

The CyberSignal Analysis

Signal 01 — Developer Trust Is the Strategic Target Multiple States Are Competing For

The axios finding completes a picture that has been forming across 2026: state-aligned operators from at least two adversaries are now investing operational resources in the compromise of individual developers and maintainers as a route into widely deployed software. ESET's attribution of the axios compromise to the Lazarus umbrella, paired with the same week's Glassworm takedown of a Russia-aligned developer-targeting operation, makes the category undeniable. The defensive implication is structural — the most-downloaded JavaScript libraries are now critical infrastructure, and their maintainers are critical-infrastructure operators in everything but title. The threat model has to change accordingly: vendor-management programs that treat package consumption as low-touch procurement need to be retooled around the assumption that the upstream maintainer is, themselves, a credible target of state-level operations.

Signal 02 — Sandworm's DynoWiper Says the Critical-Infrastructure Front Is Still Active

It would be a mistake, in the noise around the axios finding, to under-weight the Polish energy incident. ESET's medium-confidence Sandworm attribution and the naming of DynoWiper as a new wiper family are the most operationally important pieces of EU-NATO critical-infrastructure intelligence in the report. The story defenders should not tell themselves is that supply-chain compromise has displaced destructive sabotage as the front to watch. ESET's data window shows both happening simultaneously, against different targets, by different state-aligned operators. For European energy defenders specifically, the lesson is that wiper-readiness must remain a current and exercised capability, not a 2022-era checklist item that has been declared closed.

Signal 03 — Read Through the Hedges, Not Around Them

ESET's language matters, and downstream coverage should preserve it. The Sandworm/DynoWiper attribution is explicitly characterized as medium confidence; the Lazarus link on axios is characterized as ties rather than as conclusive attribution. Those hedges are operationally useful, not weasel words — they tell defenders how much weight to put on the attribution when making downstream decisions, and they preserve room for the picture to refine as more evidence emerges. The temptation to escalate ESET's framing to US-government-style attribution in headlines should be resisted. The findings are strong enough to act on at the confidence ESET assigns them; they do not need to be inflated. Threat intelligence is most useful when its uncertainty is preserved through the editorial pipeline rather than discarded at the first translation.

Sources