One of the Most Impactful Open Source Supply Chain Attacks in Recent Memory
The Axios JavaScript NPM package was compromised in late March 2026 in what security researchers are calling one of the most operationally sophisticated supply chain attacks ever documented against a top-10 NPM package. Axios is the most popular JavaScript HTTP client library in existence, downloaded more than 400 million times per month on NPM, making the incident's potential blast radius extraordinarily large.
Software development security vendor StepSecurity identified and reported that two malicious versions had been published to NPM: [email protected] and [email protected]. Both versions introduced a new malicious dependency called [email protected], which impersonated the otherwise legitimate crypto-js library. Once installed, plain-crypto-js executes a script that deploys a remote-access Trojan (RAT) capable of running on Windows, Linux, and macOS. The root cause appears to be the compromise of the lead maintainer's NPM account, jasonsaayman.
How the Attack Worked
According to StepSecurity's blog post on the incident, the malware was carefully engineered to avoid detection. The dropper connects to a live command-and-control server and delivers platform-specific second-stage payloads tailored to the victim's operating system. After execution, the malware deletes itself and swaps its own package.json with a clean version, thereby frustrating forensic analysis.
What makes the campaign particularly alarming is that the malicious code does not reside inside Axios itself. As StepSecurity put it:
"There are zero lines of malicious code inside axios itself, and that's exactly what makes this attack so dangerous."
The malicious Axios versions were active for approximately three hours before NPM removed all traces of the campaign. However, one version of plain-crypto-js was publicly exposed for more than 21 hours before receiving a security hold, according to a blog post by Endor Labs. Given Axios's massive popularity and that extended window, organizations are strongly advised to check for indicators of compromise, which have been published by StepSecurity, Endor Labs, and Socket.
Feross Aboukhadijeh, CEO of Socket, told Dark Reading via email that in the JavaScript ecosystem, "this is the kind of incident where teams should drop everything and verify their dependencies immediately."
Attribution: From TeamPCP to North Korea's UNC1069
Attribution has evolved rapidly since the attack was first disclosed. Early reporting tied the activity to TeamPCP, a threat actor known for cloud-native attacks including ransomware operations. However, Google subsequently sent a statement to Dark Reading attributing the attack to UNC1069, a suspected North Korean threat actor.
John Hultquist, chief analyst at Google Threat Intelligence Group, stated in an emailed comment that while the full scope of the incident remains unclear, Google expects it to have a far-reaching impact.
StepSecurity's Ashish Kurmi offered additional context on what the RAT's behavior suggests about attacker intent. He noted that the RAT's first action is device profiling — collecting the hostname, username, operating system details, running processes, and a directory listing — before taking any other steps.
"A blunt infostealer grabs credentials and leaves; this one fingerprints the environment and waits for instructions, pointing to initial access brokerage or targeted espionage. Axios lives in developer environments holding source code, deploy keys, and cloud credentials a cryptominer has no use for, and the 18-hour pre-staging, simultaneous branch poisoning, and anti-forensics suggest an actor who has done this before."
Kurmi explained that if North Korea's involvement is confirmed, it changes the story significantly. UNC1069 is widely regarded as an arm of North Korea's Lazarus Group, primarily responsible for generating revenue for the DPRK by stealing cryptocurrency and seizing credentials that provide access to wallets or fintech infrastructure. Notably, Kurmi observed that a confirmed North Korean compromise of a top-10 NPM package "would represent DPRK's first successful compromise of a top-10 npm package."
Operational Sophistication: A New Bar for Supply Chain Attacks
The open source supply chain has weathered several notable threats in recent months, including the Shai-hulud and GlassWorm campaigns, but the Axios attack stands apart for the level of planning and precision involved. StepSecurity described the attack as follows:
- The malicious dependency was staged 18 hours in advance of the attack going live.
- Three payloads were pre-built, one for each major operating system.
- Both release branches were poisoned within 39 minutes of each other.
- Every artifact was engineered to self-destruct after execution.
- Within two seconds of npm install, the malware was already communicating with the attacker's command-and-control server — before NPM had even finished resolving dependencies.
StepSecurity labeled this "among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package."
Kurmi contrasted this with typical NPM attacks, which usually depend on typosquatting. This attack, by contrast, "required compromising a real maintainer account, bypassing Axios' OIDC-based publishing pipeline, and building anti-forensics that make npm list report the wrong version post-infection." He characterized that level of capability as "operational tradecraft," not a script.
Kurmi also placed the Axios attack within a broader trend he and his team have been tracking: "We've been tracking several supply chain attacks from last year to this year — the Shai-Hulud attacks, the Nx Singularity incident, the tj-actions/changed-files compromise, the Trivy compromise, Checkmarx KICS, the LiteLLM PyPI compromise, the Canister worm, and now Axios — each one has shown a step up in operational sophistication and anti-forensic awareness."
What Defenders Should Know
From a defensive standpoint, Kurmi noted that the total number of affected installs is likely limited because the primary exposure window was only about three hours. However, any developers who installed Axios during that window would almost certainly have seen no error message, warning, or forensic trace. As Kurmi put it: "A quiet, traceless compromise of a developer's machine is a fundamentally different risk than something loud that gets patched fast."
Peyton Kennedy, security researcher at Endor Labs, agreed that the attack marks a significant escalation in sophistication compared to prior campaigns.
"Last year, Shai-hulud's worm-based propagation was novel, and we've since seen that technique replicated in CanisterWorm and other campaigns. This attack is a different kind of escalation: staged dependency seeding to evade scanners, platform-specific payload chains, and self-deleting anti-forensic cleanup. This looks like deliberate, planned tradecraft from an experienced threat actor."
Recommended Next Steps
Security teams that depend on Axios in their development pipelines should take the following actions:
- Check for indicators of compromise published by StepSecurity, Endor Labs, and Socket in their respective blog posts on the incident.
- Audit developer machines that ran
npm installduring the affected window for signs of network callbacks to unknown command-and-control infrastructure. - Review dependency lock files and verify that no versions of plain-crypto-js are present in your dependency tree.
- Rotate any secrets, deploy keys, or cloud credentials that may have been accessible in compromised developer environments.
Given the scale of Axios's adoption and the sophistication of this attack, this incident is expected to serve as a watershed moment for how the industry thinks about supply chain security in the open source JavaScript ecosystem.
Source: Dark Reading