Applications
Resources
News
Jobs
Blog
LOG IN
SIGN UP
Tech Job Finder - Find Software, Tech Sales and Product Manager Jobs.
Sign In
OR continue with e-mail and password
E-mail address
Password
Don't have an account?
Reset password
Join Tech Job Finder
OR continue with e-mail and password
First name
Last name
E-mail address
Username
Password
Confirm Password
How did you hear about us?
By signing up, you agree to our Terms & Conditions and Privacy Policy.
Back to NewsGeneral

Major supply chain attack on NPM via popular Axios HTTP library

Tech Job FinderJune 15, 2026No comments yet
Major supply chain attack on NPM via popular Axios HTTP library

In the fast-paced world of JavaScript development, few libraries are as ubiquitous as Axios. With over 100 million weekly downloads, this promise-based HTTP client has become a cornerstone for making API requests in both browser and Node.js environments. Developers rely on it for its simplicity, interceptors, and cross-platform compatibility. But on March 31, 2026, that trust was shattered when attackers executed one of the most significant supply chain attacks in recent npm history. Malicious versions of Axios were published, silently delivering a cross-platform Remote Access Trojan (RAT) to thousands of systems.

The Attack Unfolds

The incident began when attackers compromised the npm account of Jason Saayman (jasonsaayman), the lead maintainer of Axios. Using the hijacked credentials, they published two backdoored versions: axios@1.14.1 (tagged as latest) and axios@0.30.4 (tagged as legacy). These versions were live on the npm registry for approximately three hours before being yanked.

Crucially, the attackers did not tamper with Axios's core source code. Instead, they modified the package.json file to introduce a phantom dependency: plain-crypto-js@4.2.1. This package had been published just minutes earlier by a throwaway account and had no legitimate connection to Axios. It existed solely as a dropper. When developers ran npm install, npm resolved the dependency tree and automatically installed the malicious package, triggering its postinstall script without any user interaction.

This "phantom dependency" technique is particularly insidious. Because plain-crypto-js was never imported or referenced in Axios's actual JavaScript code, static code analysis or casual reviews of the library would miss it. The attack bypassed many traditional safeguards, exploiting the trust inherent in the npm ecosystem.

Technical Breakdown of the Malware

Once installed, plain-crypto-js@4.2.1 executed an obfuscated JavaScript dropper (setup.js). This script performed reconnaissance on the victim's operating system—targeting Windows, macOS, and Linux—and downloaded platform-specific payloads from attacker-controlled infrastructure.

The final payload was identified as WAVESHAPER.V2, an updated version of a backdoor previously linked to North Korea-nexus threat actors (specifically groups like UNC1069 or NICKEL GLADSTONE). Capabilities included:

  • System reconnaissance: Collecting hostname, username, IP addresses, installed software, and environment details.
  • Data exfiltration: Harvesting sensitive files, credentials, browser data, and SSH keys.
  • Persistence mechanisms: Establishing footholds through cron jobs, registry modifications, or launch agents.
  • Command execution: Full remote access for arbitrary commands, enabling further payload delivery or lateral movement.

The malware included anti-analysis and cleanup routines to erase forensic traces, making detection challenging for unprepared teams. Its cross-platform nature maximized impact across developer workstations, CI/CD pipelines, production servers, and even containerized environments.

Scope and Impact

Axios's popularity amplified the damage. As a direct or transitive dependency in countless projects—ranging from frontend frameworks like React and Vue to backend services and DevOps tools—the attack potentially affected millions of installations. Security firms reported detections on hundreds of systems within hours, with widespread impact in enterprises, open-source projects, and cryptocurrency-related infrastructure.

Notable consequences included:

  • Developer workstations: Compromised local machines could lead to credential theft and further supply chain poisoning.
  • CI/CD pipelines: Build servers running npm install became vectors for persistent access into corporate networks.
  • Production applications: Deployed services pulling the malicious version risked runtime compromise.
  • Broader ecosystem: Tools like Trivy (vulnerability scanner) and other popular packages that depend on Axios were indirectly affected.

CISA issued an alert emphasizing the need for full incident response rather than simple patching, treating any system that installed the malicious versions as compromised.

Attribution and Motivations

Threat intelligence attributes the attack to a financially motivated North Korea-linked group. The use of WAVESHAPER.V2 and overlapping infrastructure with prior campaigns point to actors seeking revenue for the regime through cryptocurrency theft, data sales, or ransomware. Supply chain attacks like this offer high return on low effort: one compromised popular package can yield thousands of footholds.

This incident highlights how state-sponsored actors are increasingly targeting open-source ecosystems, which power much of the global software supply chain.

How the Account Was Compromised

Details remain partially under wraps, but reports indicate the maintainer’s npm account was taken over, possibly via phishing, credential stuffing, or malware on a personal device. The attacker changed the registered email to a ProtonMail address (ifstap@proton.me) and published directly via the npm CLI, bypassing some two-factor protections or Trusted Publishing mechanisms.

This underscores a painful reality: even vigilant maintainers with strong security postures can fall victim, especially if personal accounts or recovery mechanisms are weak.

Response and Remediation

The Axios team acted swiftly. Malicious versions were unpublished, a GitHub security advisory was issued, and a post-mortem detailed the incident. Users were urged to:

  1. Audit package-lock.json and yarn.lock files for axios@1.14.1 or axios@0.30.4.
  2. Regenerate secrets, rotate credentials, and scan for RAT artifacts.
  3. Rebuild environments from clean sources.
  4. Use tools like Socket, StepSecurity, or Dependabot for ongoing supply chain monitoring.

npm and the open-source community responded by tightening account security requirements and improving dependency auditing.

Lessons for the Ecosystem

This attack exposes systemic vulnerabilities in npm:

  • Maintainer account security: Single points of failure in popular projects.
  • Dependency resolution: Automatic installation of transitive dependencies without sufficient scrutiny.
  • Phantom packages: Malicious additions that evade code review.
  • Speed of propagation: Millions of downloads per week mean attacks spread like wildfire.

Best practices emerging include:

  • Lockfiles and reproducibility: Always commit package-lock.json and verify hashes.
  • SBOMs (Software Bill of Materials): Track every dependency.
  • Automated scanning: Tools that detect malicious behavior in postinstall scripts.
  • Least privilege: Run npm install in isolated environments.
  • Multi-factor and hardware keys: For all package maintainers.
  • Trusted Publishing: Shift toward GitHub Actions-based publishing to reduce credential risks.

Organizations should adopt "assume breach" mindsets for dependencies and invest in runtime monitoring for anomalous network connections from Node.js processes.

The Bigger Picture

Supply chain attacks are not new—recall events like SolarWinds, Log4Shell, or previous npm incidents (e.g., ua-parser-js). But the Axios compromise stands out due to the library’s sheer popularity and the sophistication of the cross-platform RAT. It serves as a wake-up call that open-source sustainability depends on better security funding, automated guardrails, and community vigilance.

As developers, we must balance velocity with verification. Tools like npm audit, Socket.dev, and GitHub’s dependency graph help, but human oversight and zero-trust principles remain essential.

In the aftermath, Axios maintainers and the broader JavaScript community are strengthening defenses. Versions were rolled back, and enhanced security measures are being discussed. Yet the incident reminds us: in a world of interconnected software, securing the supply chain is everyone’s responsibility.

The Axios attack of March 2026 will likely be studied for years as a textbook case of modern software supply chain risks. It demonstrates both the fragility and the resilience of open source—fragile because one compromised credential can ripple across the internet, resilient because rapid community response limited the long-term damage.

For developers and security teams, the message is clear: update your dependencies with caution, monitor your supply chain proactively, and never take popular packages for granted. The next attack is already in progress somewhere in the ecosystem.

💬Comments

Sign in to join the discussion.

🗨️

No comments yet. Be the first to share your thoughts!

© 2026 Tech Job Finder. All Rights Reserved.
LinkedIn
Instagram
Facebook
Tech Job Finder
LinkedIn
Instagram
Facebook
© 2026 Tech Job Finder. All Rights Reserved.