Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious versions of the highly popular Axios NPM library were distributed to millions in a fresh supply chain attack blamed on North Korean hackers. A promise-based HTTP client that supports asynchronous API requests from Node.js and browsers, Axios is used for fetching, sending, and updating data. With over 100 million weekly downloads, it is a top 10 NPM package and the most popular JavaScript HTTP client library, present in approximately 80% of cloud and code environments. On March 31, 2026, just after midnight, two backdoored Axios versions were published to the NPM registry to automatically execute a payload across Windows, macOS, and Linux systems, without user interaction. The nefarious package versions, namely 1.14.1 and 0.30.4, were removed from the registry roughly three hours later. During this window, they were downloaded by roughly 3% of the Axios userbase, Wiz says. The backdoored iterations contained a phantom dependency that was published to the registry 18 hours before the attack. Named plain-crypto-js@4.2.1, the dependency is never imported anywhere by the Axios code. “Its sole purpose is to execute a post-install script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command-and-control server and delivers platform-specific second-stage payloads,” StepSecurity notes. The dropped payloads, Wiz explains, had similar functionality across operating systems, enabling remote shell execution, code injection, directory and process enumeration, and system reconnaissance. “After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection,” Sophos says. According to Socket, the @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130 packages were seen distributing the same malware. Compromised account and attack timeline The supply chain attack was highly targeted and premeditated, security researchers say. To mount the attack, the threat actors compromised the NPM account of @jasonsaayman, the primary maintainer of Axios, Huntress explains. The attackers changed the email address for the account and used a long-lived access token to publish the backdoor package versions directly via the NPM CLI, bypassing the GitHub Actions OIDC-based CI/CD publishing workflow. “One critical detail: even on the v1.x branch where OIDC Trusted Publishing was configured, the publish workflow still passed NPM_TOKEN as an environment variable alongside OIDC credentials. When both are present, NPM uses the token. This meant the long-lived token was effectively the authentication method for all publishers, regardless of OIDC configuration,” Huntress says. This explains why the attackers could bypass publishing protections even if the maintainer has multi-factor authentication enabled “on practically everything” he interacts with, as he pointed out. A clean version of plain-crypto-js dependency used in the attack was published 18 hours before the attack, “to establish NPM publishing history, so the package does not appear as a zero-history account during later inspection,” StepSecurity notes. The malicious iteration of the dependency was published roughly 20 minutes before the first backdoored Axios version was published. The second backdoored Axios release was pushed 39 minutes later. NPM unpublished and removed the malicious versions three hours later and started a security hold on plain-crypto-js. It replaced the malicious dependency with an NPM security-holder stub an hour later. The initial plain-crypto-js version was an identical copy of the legitimate crypto-js@4.2.0 package. The malicious iteration, 4.2.1, contained only three differences: the post-install script, an obfuscated dropper, and a clean JSON stub. The purpose of the stub was to rename itself (after the setup script finished execution and deleted itself) and report version 4.2.0 instead of 4.2.1, to trick defenders into believing that their systems were not compromised, StepSecurity notes. North Korean hackers to blame “The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation,” said ReversingLabs chief software architect Tomislav Pricing. The attack, cybersecurity researchers say, was mounted by North Korean hackers. Elastic says the macOS binary used in the attack overlaps with WaveShaper, which was attributed by Google to UNC1069. In an emailed statement, Google Threat Intelligence Group chief analyst John Hultquist confirmed the attribution. “GTIG is investigating the Axios supply chain attack, an incident unrelated to the recent TeamPCP supply chain issues. We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” Hultquist said. “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts,” he added. Active since at least 2018, UNC1069 is a financially motivated threat actor known for targeting cryptocurrency and decentralized finance (DeFi) verticals, software developers, and venture capital firms. In February, Google warned of evolving UNC1069 tactics, techniques, and procedures (TTPs), including the use of new malware families in attacks against a FinTech entity. Downstream impact Impacted users are advised to immediately remove the malicious packages from their systems, to hunt for signs of infection, and to audit their dependency trees for potential downstream impact. “We are already seeing active exploitation. Any environment that installed axios@1.14.1 or axios@0.30.4 should be treated as compromised. Organizations must immediately audit their dependencies, downgrade to verified safe versions, rotate all credentials accessible during installation, and scan for malware artifacts specific to each operating system,” Huntress senior principal security researcher John Hammond said in an emailed comment. The attack, Sonatype field CTO Ilkka Turunen points out, shows that hackers are now exploiting the trust people place in code rather than in the code itself. “The malicious capability was introduced through a staged dependency and designed to erase its own tracks, which made the attack harder to spot and slower to understand. That’s not just malware — it shows a more deliberate and mature playbook,” Turunen said. “What makes this incident important is how little visible change was needed to create real downstream risk. When a widely trusted package can be turned into a delivery path like this, the issue is bigger than package hygiene. It’s a trust problem in the software supply chain, and it’s why organizations need security controls that look at what’s actually being installed, not just what appears safe at first glance,” he added. Despite the short window of availability for the two backdoored Axios iterations, the impact of this supply chain attack is believed to be broad, as the library is deeply embedded across environments and the malicious code was likely pulled through downstream build pipelines. “By briefly inserting malicious code into a common package, threat actors can exploit routine software updates and automated processes, often without anyone immediately realizing something is wrong. That downstream exposure is what makes these incidents particularly difficult to spot and contain, especially for teams that never directly chose to install Axios themselves,” Arctic Wolf VP Ismael Valenzuela said. “What makes this one worth paying close attention to is the IDE extension angle. Developers who pinned their versions, maintained lockfiles, and followed standard hygiene could still have been hit because their editor pulled the dependency behind the scenes,” Semgrep founder and CEO Isaac Evans pointed out. Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Related: TeamPCP Moves From OSS to AWS Environments Related: Pro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal Account Related: The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Exploitation of Critical Fortinet FortiClient EMS Flaw Begins StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Lloyds Data Security Incident Impacts 450,000 Individuals Huskeys Emerges From Stealth With $8 Million in Funding Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Telnyx Targeted in Growing TeamPCP Supply Chain Attack Exploitation of Fresh Citrix NetScaler Vulnerability Begins F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild Latest News Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents Censys Raises $70 Million for Internet Intelligence Platform The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Venom Stealer Raises Stakes With Continuous Credential Harvesting TeamPCP Moves From OSS to AWS Environments CrewAI Vulnerabilities Expose Devices to Hacking Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne. Token has appointed Katy Nelson as Chief Revenue Officer. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email