Skip to content
Tech News
← Back to articles

Axios NPM Package Compromised in Precision Attack

2026-03-31 | original
read original get NPM Security Scanner Tool → more articles
Why This Matters

The compromise of the widely-used Axios NPM package highlights the ongoing risks in open source supply chain security, emphasizing the need for vigilant monitoring and rapid response. This incident underscores how malicious actors can exploit popular libraries to deploy malware across countless systems, posing significant threats to developers and organizations alike.

Key Takeaways

The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months.

Axios is the most popular JavaScript HTTP client library and is downloaded more than 400 million times per month on NPM. Software development security vendor StepSecurity identified and reported yesterday that two malicious versions had been published to NPM: [email protected] and [email protected].

As StepSecurity explained in its blog post on the incident, these malicious versions include a new malicious dependency named "[email protected]." Apparently impersonating the otherwise legitimate crypto-js library, plain-crypto-js executes a script that installs a remote-access Trojan (RAT) capable of functioning across Windows, Linux, and Mac. The attack apparently began because the lead maintainer's account, "jasonsaayman," was compromised.

Related:AI-Driven Code Surge Is Forcing a Rethink of AppSec

"The dropper contacts a live command-and-control server and delivers platform-specific, second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection," StepSecurity's blog read. "There are zero lines of malicious code inside axios itself, and that's exactly what makes this attack so dangerous."

The packages were active for a few hours (around three hours for both Axios versions) before NPM fully removed all traces of the campaign. Because Axios is so popular, and because the malicious versions were up for a decent chunk of time (one version of plain-crypto-js was publicly exposed for more than 21 hours before receiving a security hold, according to an Endor Labs blog), organizations should check for indicators of compromise (available in the StepSecurity, Endor Labs, and Socket blog posts).

Feross Aboukhadijeh, CEO of Socket, tells Dark Reading in an email that in the JavaScript ecosystem, "this is the kind of incident where teams should drop everything and verify their dependencies immediately."

What Do the Axios Attackers Want?

Attribution has been a dynamic topic, to say the least. Early reports tied activity to TeamPCP, a threat actor known for conducting cloud-native threat activity, including ransomware attacks. However, today Google sent a statement to Dark Reading attributing the attack to suspected North Korean threat actor UNC1069.

Google Threat Intelligence Group chief analyst John Hultquist writes in an emailed statement that while the full breadth of the incident remains unclear, Google expects it to have a far-reaching impact. It's worth noting that North Korea has done this kind of thing before.

... continue reading

Explore topics: npm axios crypto-js stepsecurity command-and-control
Related:
Entire Claude Code CLI source code leaks thanks to exposed map file
Claude Code's Source Code Leaks Via npm Source Maps
Hacker hijacks Axios open-source project, used by millions, to push malware
North Korean hackers blamed for hijacking popular Axios open-source project to spread malware
North Korean hackers blamed for hijacking popular Axios open source project to spread malware

© 2026 GoKawiil

About | Editorial Policy | Contact