Axios Got Poisoned: North Korean Hackers Hit 100M-Download npm Package

CybrPulse

CybrPulse

3 min read
Axios Got Poisoned: North Korean Hackers Hit 100M-Download npm Package

The most-used HTTP library in JavaScript just spent 24 hours silently installing backdoors on developer machines. If you run anything that depends on axios, read this before you do anything else.

What Happened

On March 30–31, 2026, threat actors linked to North Korea compromised the axios npm package and pushed backdoored releases. Versions 1.14.1 and 0.30.4 — which now appear in nobody's GitHub history because they never existed there — quietly pulled in a malicious dependency called `plain-crypto-js@4.2.1` during installation. That dependency dropped the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.

Google Cloud's threat intelligence team attributed the attack to UNC1069, a North Korea-nexus actor with a track record of financially motivated operations — though the tooling here tells a different story. There was no ransomware, no cryptominer. The RAT harvested credentials, SSH keys, cloud tokens, and system reconnaissance data, then self-destructed, replacing its own `package.json` with a clean decoy. The C2 path `/6202033` reversed reads `3-30-2026`. Someone wanted it documented.

Axios has over 100 million weekly downloads. It's a dependency in millions of applications, CI/CD pipelines, and developer laptops. That's not an attack surface — that's a highway.

How They Got In

The attacker didn't break axios. They broke one maintainer account. Jason Saayman's npm credentials were compromised, the email tied to the account was changed, and a long-lived access token was used to publish directly to the registry — bypassing GitHub Actions entirely.

That's the part worth sitting with: no OIDC provenance records were generated. No SLSA attestations. No build trail. Security tooling that depends on those signals saw nothing.

The attack was staged over 18 hours. A clean decoy package was published first to establish registry history and reduce automated risk scores. Then, within 39 minutes, both the 1.x and 0.x branches were hit. Time from `npm install` to full system compromise: 15 seconds.

CybrPulse tracked coverage from Bleeping Computer, HelpNet Security, Google Cloud Threat Intelligence, and multiple secondary sources. By the time SecurityWeek published attribution this morning (April 1), the malicious versions had already been removed from the registry — but not before an estimated 3% of the active userbase had pulled them.

What Defenders Need to Check Right Now

If your environment ran `npm install` with axios between March 30 and April 1:

  1. Check your lock file. If `package-lock.json` or `yarn.lock` shows axios 1.14.1 or 0.30.4 — or `plain-crypto-js` at any version — assume compromise.
  2. Rotate credentials. SSH keys, cloud provider tokens, API keys, anything stored in your dev environment or accessible from your build pipelines.
  3. Audit your npm tokens. Long-lived access tokens that bypass OIDC are how this happened. If your publishing workflow doesn't use short-lived OIDC tokens tied to specific workflows, that's a gap.
  4. Search for the C2 beacon. Network logs with requests to paths matching `/6202033` or similar numeric patterns are worth investigating.

The Bigger Pattern

This wasn't isolated. CybrPulse data shows a concentrated wave of npm and PyPI supply chain attacks over the past week:

  • March 26: Ghost npm campaign using fake install messages to hide RAT payloads
  • March 27: `telnyx` Python SDK on PyPI backdoored by TeamPCP — payload hidden inside WAV files via steganography
  • March 31: `undicy-http` (impersonating `undici`, Node's built-in HTTP client) pushed by LofyGang with a screen-streaming RAT
  • April 1: Axios, 100M weekly downloads, WAVESHAPER.V2, North Korean attribution

That's four confirmed supply chain compromises targeting developer infrastructure in six days. The timing isn't coincidental — attackers probe for weak maintainer accounts, and once one technique lands, others follow the blueprint.

The Structural Problem

The Reddit security community surfaced something accurate in the aftermath: npm's trust model still equates "published by a valid token" with "this is a legitimate release." There's no mandatory human verification gate on publishes, no multi-party signing requirement, no separation between what a CI system can publish and what a human has reviewed.

Until that changes, the attack surface is every maintainer credential in the ecosystem. There are millions of them. UNC1069 found one. So did TeamPCP. So did LofyGang.

Lock your supply chain or someone else will.

*CybrPulse ingests security news and threat intelligence continuously. Data referenced in this post reflects CybrPulse feed coverage between March 26–April 1, 2026.*

Read more