Axios npm Package Compromised in Supply Chain Attack Linked to North Korean Threat Actors, Delivering Cross-Platform RAT to Millions of Developers

Overview

Axios, the ubiquitous JavaScript HTTP client with over 100 million weekly npm downloads, was compromised in a supply chain attack on March 31, 2026, after threat actors hijacked the npm account of the package’s primary maintainer. Two malicious versions — axios@1.14.1 and axios@0.30.4 — injected a trojanized dependency that installed a cross-platform remote access trojan (RAT) on Windows, macOS, and Linux systems, according to BleepingComputer. The compromised versions were available for approximately three hours before being removed.

Google’s Threat Intelligence Group has attributed the attack to a North Korean actor tracked as UNC1069, a group linked to BlueNoroff that targets cryptocurrency exchanges, software developers, and financial institutions, as reported by BleepingComputer.

The attack comes days after the Trivy supply chain compromise that spawned the CanisterWorm npm worm, marking a sustained period of high-profile attacks against JavaScript’s package infrastructure.

What We Know

The attack followed a carefully staged sequence. On March 30, the attackers published a clean version of a package called plain-crypto-js (version 4.2.0) under the email nrwise@proton.me to establish npm registry history, according to Socket’s analysis. Eighteen hours later, they published version 4.2.1 of the same package, this time containing the malicious payload.

With the trojanized dependency in place, the attackers used compromised credentials belonging to Axios maintainer Jason Saayman to publish axios@1.14.1 at 00:21 UTC on March 31, followed by axios@0.30.4 at 01:00 UTC, hitting both the 1.x and legacy 0.x release branches within 39 minutes, as documented by Socket. The attackers also accessed Saayman’s GitHub account, changing the associated email to ifstap@proton.me and deleting a compromise report filed by collaborator DigitalBrainJS, according to BleepingComputer.

The malicious dependency used npm’s postinstall lifecycle hook to execute automatically during installation. An obfuscated dropper script employed a custom two-layer encoding scheme combining reversed Base64 with XOR cipher obfuscation (using the key “OrDeR_7077”) to hide 18 malicious strings including module names, command-and-control URLs, and shell commands, according to Snyk’s technical analysis.

The dropper deployed platform-specific payloads:

• macOS: Downloaded a C++ RAT binary to /Library/Caches/com.apple.act.mond, disguised as an Apple system daemon, with capabilities including command execution via shell or AppleScript, binary injection, and directory enumeration with 60-second command-and-control beaconing, as detailed by Socket.
• Windows: Copied PowerShell to %PROGRAMDATA%\wt.exe to masquerade as Windows Terminal, then launched a VBScript wrapper to execute downloaded scripts, according to BleepingComputer.
• Linux: Downloaded a Python-based RAT to /tmp/ld.py and executed it in the background using nohup, as reported by Socket.

All payloads communicated with a command-and-control server at sfrclak[.]com on port 8000 (IP: 142.11.206.73), using platform identifiers product0, product1, and product2 for macOS, Windows, and Linux respectively, per Socket’s analysis. After execution, the malware deleted itself and restored a clean package.json to erase forensic evidence.

Socket’s automated detection system flagged the malicious dependency within six minutes of publication, according to Socket. Multiple security firms including Endor Labs, Aikido, StepSecurity, Elastic, Snyk, and Huntress subsequently published analyses.

The attack also spawned secondary infections: packages @shadanai/openclaw and @qqbrowser/openclaw-qbot bundled the same malware either directly or through the tampered Axios versions, as identified by Snyk.

What We Don’t Know

• Credential compromise method: How the attackers obtained Saayman’s npm and GitHub credentials has not been disclosed. The investigation revealed continued use of a long-lived npm token alongside trusted publishing, but whether the token was phished, leaked, or stolen through other means remains unclear.
• Actual infection count: While Axios receives over 400 million monthly downloads, the compromised versions were available for roughly three hours. The actual number of developers and CI/CD pipelines that pulled the malicious versions has not been quantified, though Help Net Security reported observed execution in 3 percent of affected environments.
• Exfiltrated data: The RAT capabilities included command execution, filesystem enumeration, and persistence. Whether the attackers successfully exfiltrated credentials, source code, or other sensitive data from compromised systems is unknown.
• Relationship to TeamPCP: The attack occurred days after the TeamPCP group’s cascading supply chain attacks targeting Trivy, CheckMarx extensions, and LiteLLM. Whether there is any coordination between the groups has not been established, and StepSecurity has noted the attack does not match TeamPCP’s patterns.

Analysis

The absence of cryptocurrency mining or ransomware in the payload, combined with the RAT’s emphasis on persistence and data collection, is consistent with espionage objectives. OpenSourceMalware researchers assessed the attack as indicative of “espionage or advanced persistent threat activity” rather than financially motivated cybercrime, according to Help Net Security.

Mandiant CTO Charles Carmakal warned that the impact “is broad and extends to other popular packages that have dependencies on it,” as quoted by BleepingComputer. Organizations are advised to audit lockfiles for the affected versions and plain-crypto-js, downgrade to confirmed safe versions (axios@1.14.0 or 0.30.3), rotate all credentials on potentially compromised systems, and check for indicator files at the paths listed above. Using npm ci --ignore-scripts in CI environments can prevent postinstall hook execution during builds.