Malicious versions of the highly popular Axios NPM library were distributed to millions in a fresh supply chain attack blamed on North Korean hackers.
A promise-based HTTP client that supports asynchronous API requests from Node.js and browsers, Axios is used for fetching, sending, and updating data.
With over 100 million weekly downloads, it is a top 10 NPM package and the most popular JavaScript HTTP client library, present in approximately 80% of cloud and code environments.
On March 31, 2026, just after midnight, two backdoored Axios versions were published to the NPM registry to automatically execute a payload across Windows, macOS, and Linux systems, without user interaction.
The nefarious package versions, namely 1.14.1 and 0.30.4, were removed from the registry roughly three hours later. During this window, they were downloaded by roughly 3% of the Axios userbase, Wiz says.
The backdoored iterations contained a phantom dependency that was published to the registry 18 hours before the attack. Named [email protected], the dependency is never imported anywhere by the Axios code.
“Its sole purpose is to execute a post-install script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command-and-control server and delivers platform-specific second-stage payloads,” StepSecurity notes.
The dropped payloads, Wiz explains, had similar functionality across operating systems, enabling remote shell execution, code injection, directory and process enumeration, and system reconnaissance.
“After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection,” Sophos says.
According to Socket, the @shadanai/openclaw and @qqbrowser/[email protected] packages were seen distributing the same malware.
Compromised account and attack timeline
The supply chain attack was highly targeted and premeditated, security researchers say. To mount the attack, the threat actors compromised the NPM account of @jasonsaayman, the primary maintainer of Axios, Huntress explains.
The attackers changed the email address for the account and used a long-lived access token to publish the backdoor package versions directly via the NPM CLI, bypassing the GitHub Actions OIDC-based CI/CD publishing workflow.
“One critical detail: even on the v1.x branch where OIDC Trusted Publishing was configured, the publish workflow still passed NPM_TOKEN as an environment variable alongside OIDC credentials. When both are present, NPM uses the token. This meant the long-lived token was effectively the authentication method for all publishers, regardless of OIDC configuration,” Huntress says.
This explains why the attackers could bypass publishing protections even if the maintainer has multi-factor authentication enabled “on practically everything” he interacts with, as he pointed out.
A clean version of plain-crypto-js dependency used in the attack was published 18 hours before the attack, “to establish NPM publishing history, so the package does not appear as a zero-history account during later inspection,” StepSecurity notes.
The malicious iteration of the dependency was published roughly 20 minutes before the first backdoored Axios version was published. The second backdoored Axios release was pushed 39 minutes later.
NPM unpublished and removed the malicious versions three hours later and started a security hold on plain-crypto-js. It replaced the malicious dependency with an NPM security-holder stub an hour later.
The initial plain-crypto-js version was an identical copy of the legitimate [email protected] package. The malicious iteration, 4.2.1, contained only three differences: the post-install script, an obfuscated dropper, and a clean JSON stub.
The purpose of the stub was to rename itself (after the setup script finished execution and deleted itself) and report version 4.2.0 instead of 4.2.1, to trick defenders into believing that their systems were not compromised, StepSecurity notes.
North Korean hackers to blame
“The level of operational sophistication documented here, including compromised maintainer credentials, pre-staged payloads built for three operating systems, both release branches hit in under 40 minutes, and built-in forensic self-destruction, reflects a threat actor that planned this as a scalable operation,” said ReversingLabs chief software architect Tomislav Pricing.
The attack, cybersecurity researchers say, was mounted by North Korean hackers. Elastic says the macOS binary used in the attack overlaps with WaveShaper, which was attributed by Google to UNC1069.
In an emailed statement, Google Threat Intelligence Group chief analyst John Hultquist confirmed the attribution.
“GTIG is investigating the Axios supply chain attack, an incident unrelated to the recent TeamPCP supply chain issues. We have attributed the attack to a suspected North Korean threat actor we track as UNC1069,” Hultquist said.
“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts,” he added.
Active since at least 2018, UNC1069 is a financially motivated threat actor known for targeting cryptocurrency and decentralized finance (DeFi) verticals, software developers, and venture capital firms.
In February, Google warned of evolving UNC1069 tactics, techniques, and procedures (TTPs), including the use of new malware families in attacks against a FinTech entity.
Downstream impact
Impacted users are advised to immediately remove the malicious packages from their systems, to hunt for signs of infection, and to audit their dependency trees for potential downstream impact.
“We are already seeing active exploitation. Any environment that installed [email protected] or [email protected] should be treated as compromised. Organizations must immediately audit their dependencies, downgrade to verified safe versions, rotate all credentials accessible during installation, and scan for malware artifacts specific to each operating system,” Huntress senior principal security researcher John Hammond said in an emailed comment.
The attack, Sonatype field CTO Ilkka Turunen points out, shows that hackers are now exploiting the trust people place in code rather than in the code itself.
“The malicious capability was introduced through a staged dependency and designed to erase its own tracks, which made the attack harder to spot and slower to understand. That’s not just malware — it shows a more deliberate and mature playbook,” Turunen said.
“What makes this incident important is how little visible change was needed to create real downstream risk. When a widely trusted package can be turned into a delivery path like this, the issue is bigger than package hygiene. It’s a trust problem in the software supply chain, and it’s why organizations need security controls that look at what’s actually being installed, not just what appears safe at first glance,” he added.
Despite the short window of availability for the two backdoored Axios iterations, the impact of this supply chain attack is believed to be broad, as the library is deeply embedded across environments and the malicious code was likely pulled through downstream build pipelines.
“By briefly inserting malicious code into a common package, threat actors can exploit routine software updates and automated processes, often without anyone immediately realizing something is wrong. That downstream exposure is what makes these incidents particularly difficult to spot and contain, especially for teams that never directly chose to install Axios themselves,” Arctic Wolf VP Ismael Valenzuela said.
“What makes this one worth paying close attention to is the IDE extension angle. Developers who pinned their versions, maintained lockfiles, and followed standard hygiene could still have been hit because their editor pulled the dependency behind the scenes,” Semgrep founder and CEO Isaac Evans pointed out.
Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks
Related: TeamPCP Moves From OSS to AWS Environments
Related: Pro-Iranian Hacking Group Claims Credit for Hack of FBI Director Kash Patel’s Personal Account
Related: The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust
