The DNS Anatomy of the Axios Supply Chain Attack

Home / Industry

The DNS Anatomy of the Axios Supply Chain Attack

	By WhoisXML API (Sponsored Post) A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider
	May 28, 2026 Views: 94

GTIG uncovered a UN1069 attack targeting the popular NPM package axios on 31 March 2026. They published their in-depth analysis of the threat on 1 April 2026 and in it named three IoCs.

Two other reports on the attack identified IoCs as well. Elastic Security Labs disclosed two on 1 April 2026 and GitHub listed 16 on 31 March 2026.

After removing duplicates, extracting domains from the subdomains, and filtering out legitimate domains aided by the WhoisXML API MCP Server, we ended up with 22 IoCs for our analysis comprising five subdomains, seven domains, and 10 IP addresses.

Our DNS deep dive into the Axios supply chain attack IoCs led to these discoveries:

16 unique client IP addresses that communicated with two of the domain IoCs
Two domain IoCs appeared in two typosquatting groups with 5—12 members each
One domain IoC likely registered with malicious intent 651 days before being confirmed as malicious
32 distinct IP addresses potentially owned by victims that communicated with seven of the IP IoCs
676 email-connected domains
Two additional IP addresses, both confirmed as malicious
58 IP-connected domains, four of which were confirmed as malicious
1,034 string-connected domains, one of which was confirmed as malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Studying the Subdomains Singled Out as Axios Supply Chain Attack IoCs

We kicked our investigation off by looking more closely at five subdomain IoCs and documented our findings below.

SUBDOMAIN IoC	WXA MCP SERVER FINDING
cloud[.]dnx[.]capital	Lacks DNS records, WHOIS data, or web presence, which are red flags especially if used in the financial context in emails, messages, or ads
crypto[.]hondchain[.]com	Has all the hallmarks of a fraudulent or inactive phishing or scam site
deck[.]31ventures[.]info	Almost certainly impersonating the legitimate 31VENTURES venture capital firm and combined with being newly registered and full WHOIS privacy, is a textbook setup for either phishing or an investment fraud scheme
docsend[.]linkpc[.]net	Follows a textbook phishing domain construction—a fake docsend subdomain on a free, anonymous dynamic DNS service known for abuse
webhostwatto[.]work[.]gd	Not connected to a legitimate business operation, currently inactive, and structured using a fabricated name on a free, anonymous subdomain service

Overall, it is advisable not to click any links containing the five subdomains above as they could be tied to financially motivated or other scams.

Deep Diving into the Domains Disclosed as Axios Supply Chain Attack IoCs

Next, we looked further into the seven domain IoCs.

Sample network traffic data from the IASC revealed that 16 unique client IP addresses under six distinct ASNs communicated with two domain IoCs via 3,025 DNS queries between 31 January and 1 April 2026.

According to our Typosquatting API findings, meanwhile, two domain IoCs appeared in two groups with 5—12 members each between 20 March 2023 and 1 September 2025.

Take a look at more details about the typosquatting domains below.

DOMAIN IoC	GROUP NUMBER	GROUP MEMBER NUMBER	GROUP MEMBERS	CREATION DATE
31ventures[.]info	1	5	adventures[.]capetown h4ventures[.]dev ad-venture1[.]pl adventure[.]capetown 31ventures[.]info	08/29/25–09/01/25
starbucls[.]xyz	1	12	starbucls[.]makeup starbucls[.]autos starbucls[.]ink starbucls[.]guru starbucls[.]quest starbucls[.]today starbucls[.]cyou starbucls[.]xyz starbucls[.]life starbucls[.]top starbucls[.]icu starbucls[.]homes	03/20/23

Based on the results of our First Watch Malicious Domains Data Feed queries, on the other hand, the domain IoC dnx[.]capital was likely registered with malicious intent 651 days before it was dubbed as an IoC on 31 March 2026 by GitHub.

Next, we queried the domain IoCs on WHOIS API and filled in missing details using Domain Info API. We discovered that:

They were created between 18 June 2022 and 30 March 2026.
They were administered by five registrars.
They were registered in two countries.

Finally, we queried the domain IoCs on DNS Chronicle API and learned that they recorded 913 historical domain-to-IP resolutions over time. Here are more details for three examples.

DOMAIN IoC	NUMBER OF DOMAIN-TO-IP RESOLUTIONS	DATES SEEN
work[.]gd	803	08/26/17–03/23/26
31ventures[.]info	51	06/06/22–03/16/26
dnx[.]capital	42	11/07/22–05/28/25

In addition, we discovered that all three domains above could have been reregistered, as they posted older domain-to-IP resolutions than the creation dates in their current WHOIS records.

Investigating the IP Addresses Identified as Axios Supply Chain Attack IoCs

We then further investigated the 10 IP IoCs.

Sample network traffic data from the IASC revealed that 32 unique IP addresses that could belong to victims under 14 distinct ASNs communicated with seven of the IP IoCs between 11 October 2025 and 31 March 2026.

Next, we queried the IP IoCs on Bulk IP Geolocation Lookup and learned that:

They were geolocated in two countries, one of which—the U.S.—was also named as a registrant country of five of the domain IoCs.
They were all administered by a single ISP—Hotswinds.

After that, we queried the IP IoCs on DNS Chronicle API and discovered that they recorded 3,155 historical IP-to-domain resolutions over time. Take a look at more information on five examples below.

IP IoC	NUMBER OF IP-TO-DOMAIN RESOLUTIONS	DATES SEEN
23[.]254[.]128[.]114	769	02/05/17–02/06/26
23[.]254[.]253[.]75	736	03/11/18–03/26/26
104[.]168[.]167[.]88	383	03/22/19–11/04/25
142[.]11[.]212[.]104	61	08/16/19–02/27/26
104[.]168[.]214[.]151	305	10/04/19–08/08/24

Hunting for New Axios Supply Chain Attack Artifacts

After knowing more about the 22 IoCs, we searched for more connected artifacts.

First, we queried the domain IoCs on WHOIS History API and discovered that four had six unique email addresses in their historical WHOIS records. Of these, one was a public email address.

We queried the sole public email address on Reverse WHOIS API and uncovered 676 unique email-connected domains after the domain IoCs were filtered out.

Next, we queried the domain IoCs on DNS Lookup API, which led to the discovery of two unique additional IP addresses.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN [74% +3 extra months, from $2.99/month]

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider — Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.
Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.