Deutsch
English
Español
Français
Nederlands
Português
What is the Axios Supply Chain Attack?
In a major cybersecurity incident on March 31, 2026, North Korean hackers compromised the popular Axios npm package, affecting thousands of developers and organizations worldwide. The supply chain attack involved malicious actors gaining access to a lead maintainer's account for three hours and publishing trojanized versions (1.14.1 and 0.30.4) containing a hidden dependency called 'plain-crypto-js' that deployed a cross-platform remote access trojan (RAT). With Axios being one of the most widely used JavaScript libraries for making HTTP requests, boasting over 100 million weekly downloads, this attack represents one of the most significant supply chain compromises in recent history.
How the North Korean Attack Unfolded
The attack was executed with surgical precision by the North Korean threat group UNC1069, which has been active since 2018 and specializes in targeting cryptocurrency and financial sectors. According to cybersecurity firm Mandiant, owned by Google, the attackers compromised the npm account credentials of an Axios maintainer and published two malicious versions during a three-hour window before the packages were removed at 03:29 UTC.
The Technical Mechanism
The compromised packages contained a phantom dependency that automatically executed a postinstall script during installation. This script downloaded and installed the WAVESHAPER.V2 backdoor, a sophisticated multi-platform RAT capable of infecting Windows, macOS, and Linux systems. The malware was designed to:
- Harvest credentials including GitHub Personal Access Tokens
- Collect cloud service API keys (AWS, GCP, Azure)
- Exfiltrate SSH keys and npm tokens
- Establish persistent command-and-control connections
- Execute arbitrary commands on infected systems
The attack's sophistication suggests state-sponsored capabilities, with security experts noting the malware used double obfuscation and self-erasing techniques to avoid detection. 'If you don't get in through the front door, you try the back door – and that's happening more and more often,' said Jort Kollerie, strategic advisor and deputy Chief Information Security Officer at Orange Cyberdefense.
Why North Korea Targets Software Supply Chains
North Korean hackers have increasingly turned to cyber operations as a primary revenue source for the sanctioned regime. According to White House officials, approximately half of North Korea's missile program is funded through digital theft, with cryptocurrency heists alone generating billions annually. The 2025 Bybit hack netted $1.5 billion, making it the largest crypto theft in history at that time.
This attack follows a pattern of North Korean operations targeting the software supply chain, similar to previous incidents like the SolarWinds supply chain attack that affected government agencies worldwide. By compromising widely-used open-source packages, attackers can achieve maximum impact with minimal effort, potentially accessing thousands of downstream applications and organizations.
Impact and Scale of the Breach
Initial assessments indicate approximately 600,000 installations occurred during the three-hour attack window, affecting an estimated 3% of Axios users. The Dutch National Cyber Security Centre (NCSC) issued an urgent warning, stating: 'If your organization develops software using a compromised npm or Python package, malicious actors have gained access to authentication data. Through these credentials, they gain access to other development environments or systems on your network.'
The attack's ripple effects extend across multiple sectors:
| Sector | Potential Impact |
|---|---|
| Healthcare | Patient data systems, medical devices |
| Finance | Banking applications, trading platforms |
| Cryptocurrency | Exchange platforms, wallet services |
| Technology | Cloud infrastructure, CI/CD pipelines |
How to Protect Against Supply Chain Attacks
Security experts recommend immediate action for organizations that may have been affected:
- Audit Dependencies: Check for Axios versions 1.14.1 or 0.30.4 and the plain-crypto-js@4.2.1 dependency
- Rotate Credentials: Assume all secrets on affected systems are compromised and rotate immediately
- Implement Version Pinning: Use exact version numbers or tilde ranges in package.json
- Enable Multi-Factor Authentication: Require MFA for all package maintainer accounts
- Monitor Network Traffic: Look for unusual outbound connections to suspicious domains
Organizations should also consider implementing software supply chain security best practices including Software Bill of Materials (SBOM) generation and dependency cooldown periods of 7-14 days before adopting new package versions.
Long-Term Implications for Open Source Security
This attack highlights fundamental vulnerabilities in the open-source ecosystem, where a single compromised maintainer account can affect millions of downstream users. The incident has sparked renewed discussions about:
- Improved maintainer account security with hardware security keys
- Package signing and provenance verification requirements
- Better monitoring of package registry activities
- Increased funding and support for critical open-source projects
As Donner Bakker, technology editor at BNR, noted: 'Thousands of American developers are infected, companies in other countries will also be affected.' The full scope of the damage may take months to assess, with security researchers warning that stolen credentials could be used in follow-up attacks for years to come.
Frequently Asked Questions
What is Axios and why was it targeted?
Axios is a popular promise-based HTTP client for JavaScript that works in both browsers and Node.js. It's targeted because of its widespread adoption (100M+ weekly downloads) across multiple industries, making it an ideal vector for supply chain attacks.
How can I check if my system was affected?
Check your package-lock.json or yarn.lock files for Axios versions 1.14.1 or 0.30.4, and look for the plain-crypto-js@4.2.1 dependency. Also review npm install logs from March 31, 2026, between 00:00-03:29 UTC.
What should affected organizations do immediately?
Assume full system compromise, rotate all credentials (GitHub tokens, cloud keys, SSH keys), conduct malware scans, and audit all systems that installed the compromised packages during the attack window.
Are end-users of applications built with Axios at risk?
End-users are not directly affected during runtime, but developers and build environments that installed the malicious packages are at significant risk of credential theft and system compromise.
How can future supply chain attacks be prevented?
Implement dependency pinning, use lockfiles with npm ci, enable package signing, require MFA for maintainers, establish dependency cooldown periods, and use supply chain security tools like Socket.dev or Snyk.
Sources
The Hacker News: Google Attributes Axios NPM Supply Chain Attack
CNN: North Korean Hackers Execute Major Supply-Chain Attack
NCSC Alert: Widespread Supply Chain Compromise
Snyk: Axios NPM Package Compromised in Supply Chain Attack
SecurityWeek: Axios NPM Package Breached in North Korean Attack
Follow Discussion