Axios npm Package Hijacked in North Korea-Linked Supply Chain Attack — RAT Deployed to Millions
Summary
The widely used JavaScript HTTP client Axios — with over 100 million weekly npm downloads — was compromised in a supply chain attack on March 30-31, 2026. Threat actors gained access to a lead maintainer’s npm account and published two malicious package versions (axios@1.14.1 and axios@0.30.4) that deployed a cross-platform Remote Access Trojan (RAT) via a hidden dependency called plain-crypto-js.
The malicious packages were live on npm for approximately two to three hours between 00:21 and 03:30 UTC on March 31. Any development environment, CI/CD pipeline, or production system that installed these versions during the exposure window should be considered fully compromised. Automated security scanners flagged the malicious dependency quickly, and npm administrators pulled the packages shortly after.
Google Threat Intelligence Group (GTIG) has attributed the attack to UNC1069, a suspected North Korean threat actor, identifying overlaps with the WAVESHAPER.V2 backdoor linked to DPRK-affiliated clusters like BlueNoroff.
Sources
- Trend Micro — Axios npm Package Compromised
- Malwarebytes — Axios Supply Chain Attack
- Google Cloud — North Korea Threat Actor Targets Axios
- SANS — Axios npm Supply Chain Compromise
Commentary
This is the supply chain attack the JavaScript ecosystem has been dreading. Axios isn’t some obscure utility — it’s a foundational dependency baked into millions of projects. The fact that a single compromised maintainer account could push malicious code to that entire install base, even for a few hours, underscores a fundamental trust problem in package registries that lockfiles and pinning can only partially mitigate.
The DPRK attribution makes this even more significant. North Korean threat actors have been steadily moving up the software supply chain sophistication ladder, and this represents a major escalation from targeting individual developers with fake job offers to poisoning globally critical infrastructure. Organizations should audit immediately: check for axios@1.14.1 or axios@0.30.4 in your lockfiles, rotate credentials on any affected systems, and rebuild from known-good state.
