In a significant cybersecurity incident, North Korean hackers have infiltrated the widely used Axios NPM package, impacting millions through a sophisticated supply chain attack. This breach involved malicious versions of the Axios library, utilized for asynchronous API requests in Node.js and browsers, being distributed to users globally.
The Attack’s Mechanism
Axios, a prominent HTTP client with over 100 million weekly downloads, was compromised when two backdoored versions were uploaded to the NPM registry on March 31, 2026. These versions were designed to deploy a malicious payload across various operating systems, including Windows, macOS, and Linux, without user intervention.
Security firm Wiz reported that approximately 3% of Axios users downloaded these compromised versions before they were removed from the registry three hours later. The attack was facilitated by a phantom dependency named [email protected], introduced to the registry 18 hours before the breach and designed to execute a post-install script acting as a remote access trojan (RAT) dropper.
Impact and Mitigation
The RAT dropper initiated contact with a command-and-control server, deploying system-specific payloads capable of executing remote shell commands, injecting code, and conducting system reconnaissance. The malware also attempted to erase its tracks by replacing its own metadata with clean versions, complicating forensic detection.
Security researchers highlighted that the hackers exploited a compromised NPM account of Axios’s primary maintainer, @jasonsaayman, allowing them to bypass security protocols and directly publish the backdoored packages. This attack leveraged a long-lived access token, overriding other security measures such as OIDC Trusted Publishing.
Broader Implications
Attributed to the North Korean group UNC1069, the attack underscores the growing sophistication of supply chain breaches. Known for targeting cryptocurrency and decentralized finance sectors, UNC1069’s tactics are evolving, posing significant threats to software ecosystems.
Experts urge affected users to immediately remove the malicious packages, conduct thorough audits of their dependency trees, and monitor for signs of compromise. The incident highlights the need for robust security controls that scrutinize the actual content being installed, rather than relying solely on perceived safety.
This breach, despite the brief exposure of the compromised Axios versions, has broad implications due to the package’s extensive use across environments. It illustrates the potential for widespread impact when trusted software is manipulated, emphasizing the importance of vigilance in software supply chains.
