The Axios NPM Attack: How North Korea Poisoned 100M+ Downloads

A three-hour window. A compromised maintainer account. A payload targeting every developer on Windows, macOS, and Linux.

April 2026 · Pivital Systems

In late March 2026, a sophisticated state-sponsored threat actor silently inserted a Remote Access Trojan into one of the most widely used JavaScript libraries on earth. The target was Axios — not the news outlet, but the open-source HTTP client that powers roughly 80% of modern cloud and code environments, with over 100 million weekly downloads on NPM. The attacker was North Korea. The window was three hours. The fallout is still being tallied.

This is the anatomy of one of the most audacious supply chain attacks in recent memory — and a clear signal about the security posture every organization dependent on open-source tooling must confront right now.

What Is a Supply Chain Attack?

In traditional cyberattacks, adversaries break through a perimeter — firewalls, authentication layers, endpoint protection. Supply chain attacks take a fundamentally different and far more dangerous approach: they become the trusted software you're already running.

Instead of attacking your network directly, a supply chain attacker compromises an upstream dependency — a library, a build tool, a package registry — and lets your own legitimate development workflows deliver the payload to your machines. Because the malicious code arrives through a trusted channel (an official package manager, a verified release), conventional defenses are far less likely to flag it. By the time anyone notices, the attacker is already inside.

Supply chain attacks have produced some of the most damaging breaches in history: SolarWinds in 2020, XZ Utils in 2024, 3CX in 2023. The Axios incident follows the same playbook — but the sheer scale of Axios's adoption makes it one of the most potentially far-reaching attempts yet.

The Attack: What Actually Happened

According to research published by Google Threat Intelligence, SentinelOne, and Dark Reading, the attackers — tracked as UNC1069 (also known as "Sapphire Sleet" by Microsoft), a North Korea-linked group — compromised the NPM account credentials of a primary maintainer of the Axios library.

Using that access, they bypassed Axios's existing security workflows and published two malicious versions to the NPM registry:

• Axios v1.14.1 — the current major branch
• Axios v0.30.4 — targeting teams on the older, still-widely-used 0.x line

Both versions contained a "phantom" dependency: a package named plain-crypto-js@4.2.1, which does not legitimately exist in the NPM ecosystem. This phantom package was designed to execute a post-install script — code that runs automatically the moment a developer runs npm install.

That post-install script dropped a fully cross-platform Remote Access Trojan (RAT) onto the victim's machine, capable of executing on:

• Windows
• macOS
• Linux

Once installed, the RAT established a covert communication channel back to attacker-controlled infrastructure, giving UNC1069 persistent, unauthorized access to the compromised system — including the ability to exfiltrate credentials, conduct network reconnaissance, pivot deeper into internal systems, and install additional payloads.

The malicious versions remained live on NPM for approximately three hours before being detected and removed. In that window, a significant volume of automated CI/CD pipelines, developer workstations, and cloud build environments pulled the compromised packages.

Why Axios? Why Now?

The choice of Axios was not incidental. As a foundational HTTP client used across virtually every category of modern JavaScript development — frontend applications, Node.js backends, serverless functions, and cloud-native infrastructure — compromising Axios achieves the maximum possible blast radius with a single point of failure.

North Korea's cyber operations, primarily orchestrated through the Lazarus Group and affiliated units like Sapphire Sleet, have been running at a record pace. In 2025 alone, North Korean hackers stole an estimated $2.02 billion in cryptocurrency, including a single $1.46 billion Ethereum heist from the Bybit exchange in February 2025. Their objectives blend two imperatives: generating hard currency to evade international sanctions, and accumulating persistent access inside Western technology, financial, and defense infrastructure.

The Axios attack is consistent with a documented strategic pivot toward software supply chain infiltration as a primary vector — because compromising a library used by millions achieves what years of targeted phishing campaigns cannot: ubiquitous, simultaneous access across thousands of organizations at once.

Who Is at Risk?

If your development environment ran npm install during that three-hour window and pulled axios@1.14.1 or axios@0.30.4, your system was exposed. This includes:

• Developer workstations that updated dependencies locally
• CI/CD pipelines (GitHub Actions, Jenkins, GitLab CI) that perform fresh installs on each build
• Cloud build environments (AWS CodeBuild, Azure Pipelines, Google Cloud Build) running automated dependency resolution
• Docker containers built during the window that inherit the compromised package
• Any downstream package that listed Axios as a dependency and published a new version during the window

Exposure does not require a developer to intentionally update Axios. Many projects rely on version ranges (e.g., ^1.14.0) that automatically resolve to the latest patch — making this vector particularly insidious in teams with automated dependency management.

Immediate Steps If You Were Running NPM During the Window

If there is any possibility your environment was exposed, treat this as an active incident:

1. Audit your lock files. Check package-lock.json or yarn.lock for entries referencing axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1. Any match is a confirmed exposure event.
2. Isolate affected machines immediately. Network-segment or take offline any system that resolved the compromised packages. The RAT establishes persistence — assume the machine has an active backdoor until forensics prove otherwise.
3. Rotate all credentials. SSH keys, API tokens, cloud provider credentials, database passwords, and any secrets stored in environment variables on the affected machines should be considered fully compromised. Rotate everything.
4. Review outbound network logs. Look for anomalous outbound connections, particularly to unknown IP ranges, during and after the exposure window. RATs beaconing home often have distinctive timing signatures.
5. Engage a forensic incident response team. For any organization with sensitive customer, financial, or patient data, this is not a "monitor and wait" scenario. Engage formal IR resources.

The Structural Problem No Patch Fixes

The Axios attack was detected and removed in three hours. That sounds reassuring until you understand that in modern software development, three hours is effectively an eternity. Automated pipelines run continuously. Cloud builds spin up on commit. Developer machines pull updates in the background. The exposure surface opened and contaminated thousands of environments before anyone raised an alarm.

This is the structural vulnerability of the open-source dependency model at scale: trust is transitive and largely invisible. When you install a package that has 100 million weekly downloads, you are implicitly trusting not just that package, but every dependency it declares, every maintainer account that has publish rights, every machine those maintainers use to authenticate — and the security posture of every one of those intermediaries.

SolarWinds was a supply chain attack. XZ Utils was a supply chain attack. The 3CX breach was a supply chain attack. The Axios incident is a supply chain attack. The pattern is not a coincidence — it is the dominant attack methodology of state-level adversaries precisely because it bypasses your perimeter by exploiting the infrastructure you have already chosen to trust.

What Sovereign AI Infrastructure Changes

Every organization running AI workloads in the cloud faces a compounded version of this risk. Cloud-based AI tools are not isolated applications — they are deeply integrated into software development pipelines, internal knowledge bases, and operational workflows. When the environment those AI tools run on is shared, managed by a third party, and updated continuously with dependencies your team did not vet, the Axios attack surface is simply one of many that exists beneath your AI stack.

Pivital Systems builds AI infrastructure designed around a fundamentally different security posture:

• Secure on-premise AI servers: Your AI workloads run on hardware you control, in environments you manage. Dependency updates do not happen automatically at the mercy of a public registry — they are reviewed, tested, and deployed on your schedule.
• Custom LLMs trained on your data: When your model runs locally, your proprietary data, your training sets, and your inference outputs never transit external infrastructure where supply chain compromises could intercept them.
• Air-gapped and network-segmented deployment options: For teams in regulated industries or high-risk threat environments, we build fully isolated AI deployments that cannot beacon home to an attacker's infrastructure because they cannot reach external networks at all.
• Agentic AI tools with controlled dependency surfaces: Our custom AI agents are built on audited, pinned dependency trees — not rolling public registries. When a supply chain incident happens upstream, your production AI environment is not automatically exposed.

The Axios attack is a case study in what happens when critical infrastructure is built on an assumed-trust model with no sovereignty over the dependency chain. Every organization that deploys AI must ask a harder version of the same question: do you actually control the environment your AI runs in?