Axios NPM Package Compromised in Precision Attack

APPLICATION SECURITY THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS Axios NPM Package Compromised in Precision Attack The NPM package for Axios, a popular JavaScript HTTP client library, was briefly compromised this week, possibly by North Korean threat actors. Alexander Culafi,Senior News Writer,Dark Reading March 31, 2026 5 Min Read SOURCE: CHRIS BRIGNELL VIA ALAMY STOCK PHOTO The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months. Axios is the most popular JavaScript HTTP client library and is downloaded more than 400 million times per month on NPM. Software development security vendor StepSecurity identified and reported yesterday that two malicious versions had been published to NPM: axios@1.14.1 and axios@0.30.4.  As StepSecurity explained in its blog post on the incident, these malicious versions include a new malicious dependency named "plain-crypto-js@4.2.1." Apparently impersonating the otherwise legitimate crypto-js library, plain-crypto-js executes a script that installs a remote-access Trojan (RAT) capable of functioning across Windows, Linux, and Mac. The attack apparently began because the lead maintainer's account, "jasonsaayman," was compromised. Related:AI-Driven Code Surge Is Forcing a Rethink of AppSec "The dropper contacts a live command-and-control server and delivers platform-specific, second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection," StepSecurity's blog read. "There are zero lines of malicious code inside axios itself, and that's exactly what makes this attack so dangerous." The packages were active for a few hours (around three hours for both Axios versions) before NPM fully removed all traces of the campaign. Because Axios is so popular, and because the malicious versions were up for a decent chunk of time (one version of plain-crypto-js was publicly exposed for more than 21 hours before receiving a security hold, according to an Endor Labs blog), organizations should check for indicators of compromise (available in the StepSecurity, Endor Labs, and Socket blog posts).  Feross Aboukhadijeh, CEO of Socket, tells Dark Reading in an email that in the JavaScript ecosystem, "this is the kind of incident where teams should drop everything and verify their dependencies immediately." What Do the Axios Attackers Want? Attribution has been a dynamic topic, to say the least. Early reports tied activity to TeamPCP, a threat actor known for conducting cloud-native threat activity, including ransomware attacks. However, today Google sent a statement to Dark Reading attributing the attack to suspected North Korean threat actor UNC1069. Google Threat Intelligence Group chief analyst John Hultquist writes in an emailed statement that while the full breadth of the incident remains unclear, Google expects it to have a far-reaching impact. It's worth noting that North Korea has done this kind of thing before. Related:F5 BIG-IP Vulnerability Reclassified as RCE, Under Exploitation Kurmi says that based on how the RAT operates (and not accounting for other vendor attributions), the Axios attacker could be interested in access brokering or espionage. "The RAT's first action is device profiling (hostname, username, OS, processes, directory walk) before doing anything else — that's cataloging, not looting. A blunt infostealer grabs credentials and leaves; this one fingerprints the environment and waits for instructions, pointing to initial access brokerage or targeted espionage," he says. "Axios lives in developer environments holding source code, deploy keys, and cloud credentials a cryptominer has no use for, and the 18-hour pre-staging, simultaneous branch poisoning, and anti-forensics suggest an actor who has done this before." If North Korea is involved, Kurmi says that changes the story significantly, as UNC1069 is best known as an arm of North Korea's Lazarus Group responsible for filling DPRK coffers. They steal cryptocurrency and seize credentials that can be used to access wallets or fintech architecture. Moreover, "What makes this particularly notable is that it would represent DPRK's first successful compromise of a top-10 npm package." Related:Storm Brews Over Critical, No-Click Telegram Flaw New Standard for Open Source Supply Chain Attack Sophistication The open source supply chain has faced a number of noteworthy threats in recent months, such as Shai-hulud and GlassWorm, but the attack on Axios stands out for a few different reasons. While many of the open source supply chain attacks relied on more opportunistic means of infection and blunt force infostealers, StepSecurity used the word "precision" to describe this attack.  "The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct. Within two seconds of npm install, the malware was already calling home to the attacker's server before npm had even finished resolving dependencies," the blog post read. "This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package." StepSecurity's Ashish Kurmi tells Dark Reading this was far more sophisticated than a typical NPM attack, as most rely on typosquatting, but "this required compromising a real maintainer account, bypassing Axios' OIDC-based publishing pipeline, and building anti-forensics that make npm list report the wrong version post-infection." Kurmi calls that "operational tradecraft," not a script. "We've been tracking several supply chain attacks from last year to this year — the Shai-Hulud attacks, the Nx Singularity incident, the tj-actions/changed-files compromise, the Trivy compromise, Checkmarx KICS, the LiteLLM PyPI compromise, the Canister worm, and now Axios — each one has shown a step up in operational sophistication and anti-forensic awareness." As for how "bad" this attack is from the defender's point of view, Kurmi notes that the total installs would have been limited because the primary exposure window (not causing the one aforementioned exception) was only about three hours in practice. However, developers that were impacted during that time would have likely seen no error, warning, or trace left behind. As such, "A quiet, traceless compromise of a developer's machine is a fundamentally different risk than something loud that gets patched fast." Endor Labs security researcher Peyton Kennedy agrees the attack is a big step up in its sophistication. "Last year, Shai-hulud's worm-based propagation was novel, and we've since seen that technique replicated in CanisterWorm and other campaigns. This attack is a different kind of escalation: staged dependency seeding to evade scanners, platform-specific payload chains, and self-deleting anti-forensic cleanup," Kennedy says. "This looks like deliberate, planned tradecraft from an experienced threat actor." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Self-Propagating GlassWorm Attacks VS Code Supply Chain by Elizabeth Montalbano, Contributing Writer OCT 20, 2025 APPLICATION SECURITY 'Lies-in-the-Loop' Attack Defeats AI Coding Agents by Elizabeth Montalbano, Contributing Writer SEP 15, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Microsoft Drops Another Massive Patch Update by Jai Vijayan, Contributing Writer APR 08, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE