Backdoored versions of the Axios JavaScript library, downloaded by roughly 3% of its 100M weekly userbase, deployed cross-platform RATs via a phantom dependency.
Malicious versions of the highly popular Axios NPM library were distributed to millions in a supply chain attack attributed to North Korean hackers tracked as UNC1069. On March 31, 2026, two backdoored versions (1.14.1 and 0.30.4) were published to the NPM registry and downloaded by roughly 3% of the Axios userbase before being removed three hours later. Axios is the most popular JavaScript HTTP client, with over 100 million weekly downloads, present in approximately 80% of cloud and code environments.
The attackers compromised the NPM account of @jasonsaayman, the primary maintainer, and used a long-lived access token to publish the backdoor versions directly via the NPM CLI. A phantom dependency named plain-crypto-js was published 18 hours before the attack to establish publishing history. Its sole purpose was to execute a post-install script acting as a cross-platform remote access trojan (RAT) dropper targeting macOS, Windows, and Linux, contacting a live C2 server to deliver platform-specific second-stage payloads enabling remote shell execution, code injection, and system reconnaissance.
Google Threat Intelligence confirmed attribution to UNC1069, a financially motivated North Korean threat actor active since at least 2018 known for targeting cryptocurrency and decentralized finance verticals. The macOS binary used in the attack overlaps with WaveShaper, previously attributed to the same group. After execution, the malware removes installation artifacts and replaces its own package metadata with a clean version to evade forensic detection.
Organizations should immediately audit dependencies, downgrade to verified safe versions, rotate all credentials accessible during installation, and scan for malware artifacts. The attack’s downstream impact is expected to be broad, as the malicious code was likely pulled through automated build pipelines and IDE extensions even in environments using pinned versions and lockfiles.
Source: SecurityWeek — Axios NPM Package Breached in North Korean Supply Chain Attack Affecti
