Axios npm package compromised in North Korea-linked supply chain attack
Supply Chain Attack Rocks Popular Axios NPM Library, Blamed on North Korean Hackers
On March 31, 2026, just after midnight, two backdoored versions of the highly popular Axios NPM library were published to the NPM registry.
The Malicious Versions
These malicious versions, namely 1.14.1 and 0.30.4, were designed to automatically execute a payload across Windows, macOS, and Linux systems, without user interaction.
The nefarious package versions were removed from the registry roughly three hours later, but not before they had been downloaded by millions of users.
The Backdoor Dependency
The backdoored iterations contained a phantom dependency that was published to the registry 18 hours before the attack.
Named [protected], the dependency is never imported anywhere by the Axios code.
Its sole purpose is to execute a post-install script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux.
The dropper contacts a live command-and-control server and delivers platform-specific second-stage payloads.
The Dropped Payloads
The dropped payloads, containing similar functionality across operating systems, enable remote shell execution, code injection, directory and process enumeration, and system reconnaissance.
After execution, the malware attempts to remove installation artifacts and replace its own package metadata with a clean version to evade forensic detection.
The Attribution
According to security researchers, the attack was mounted by North Korean hackers, who compromised the NPM account of @jasonsaayman, the primary maintainer of Axios.
The attackers changed the address for the account and used a long-lived access token to publish the backdoor package versions directly via the NPM CLI, bypassing the GitHub Actions OIDC-based CI/CD publishing workflow.
“We are already seeing active exploitation. Any environment that installed [protected] or [protected] should be treated as compromised. Organizations must immediately audit their dependencies, downgrade to verified safe versions, rotate all credentials accessible during installation, and scan for malware artifacts specific to each operating system,”
— John Hammond, Senior Principal Security Researcher at Huntress
The Impact
Impacted users are advised to immediately remove the malicious packages from their systems, to hunt for signs of infection, and to audit their dependency trees for potential downstream impact.
“We are already seeing active exploitation. Any environment that installed [protected] or [protected] should be treated as compromised.”
— John Hammond, Senior Principal Security Researcher at Huntress