North Korean state hackers compromised the Axios npm package on 31 March 2026 inserting a cross-platform remote access trojan into one of JavaScript’s most widely used HTTP clients. The attack window lasted under three hours but Axios receives 100 million weekly downloads. That exposure window was large enough to reach systems across the globe.
CISA confirmed the compromise in an advisory published 20 April, describing the incident as a supply chain attack that “downloads multi-stage payloads from cyber threat actor infrastructure including a remote access trojan.” The agency urges organisations to assume compromise if they installed the affected versions: axios@1.14.1 and axios@0.30.4.
The Attribution Is Not Premature This Time
Microsoft Threat Intelligence and Google’s Threat Intelligence Group both attributed the attack to North Korean state actors. Microsoft tracks the group as Sapphire Sleet, Google as UNC1069. Both assessments link the operation to the broader BlueNoroff cluster, itself a financially focused unit within the Lazarus Group.
The attribution rests on infrastructure analysis, not timing speculation. Microsoft confirmed that “the account that created the plain-crypto-js package is associated with Sapphire Sleet infrastructure.” Google’s assessment references the deployment of WAVESHAPER.V2, an updated version of a backdoor this actor has used in cryptocurrency theft campaigns since 2020.
The social engineering method also fits the group’s established pattern. Axios maintainer Jason Saayman described a multi-stage operation involving impersonated company founders, fabricated Slack workspaces and Microsoft Teams meetings with multiple apparent participants. This mirrors tactics Google documented in previous UNC1069 campaigns targeting cryptocurrency firms.
How 39 Minutes Became a Global Incident
The attackers compromised Saayman’s npm account and changed the registered email to an attacker-controlled ProtonMail address. They bypassed Axios’s normal GitHub Actions release pipeline entirely, publishing directly to npm using the hijacked credentials.
The operation was staged 18 hours in advance. On 30 March at 05:57 UTC, a clean version of “plain-crypto-js@4.2.0” appeared on npm to establish registry history. At 23:59 UTC, version 4.2.1 went live with the malicious payload. Two Axios releases followed within 39 minutes: axios@1.14.1 at 00:21 UTC and axios@0.30.4 at 01:00 UTC, both injecting plain-crypto-js@4.2.1 as a runtime dependency.
When developers ran npm install, the package manager resolved the dependency tree, pulled the malicious package and executed its postinstall script automatically. No user interaction was required. The script detected the operating system and downloaded platform-specific RAT payloads from sfrclak.com:8000, one each for Windows, macOS and Linux.
The malware then deleted itself and replaced its package.json with a clean version to evade forensic analysis. StepSecurity’s automated monitoring detected the compromise within hours but the attacker spent those hours deleting GitHub issues that flagged the problem which includes approximately 20 deletion attempts using the compromised maintainer account.
Check Your Systems Today
CISA’s guidance is direct. Downgrade to axios@1.14.0 or axios@0.30.3, delete the node_modules/plain-crypto-js directory and rotate all credentials that may have been exposed. For CI/CD pipelines that ran between 00:21 and 03:15 UTC on 31 March, assume compromise.
The window matters because build systems often hold high-value secrets such as npm tokens, SSH keys, cloud credentials and API keys. Microsoft recommends blocking outbound connections to sfrclak.com and conducting endpoint detection hunts for the IOCs published by security firms.
Organizations should also review their npm security configuration. CISA recommends setting ignore-scripts=true in .npmrc files to prevent automatic execution of package scripts and min-release-age=7 to avoid installing packages that have not been publicly vetted for at least seven days.
This was not opportunistic. Three separate payloads were pre-built for three operating systems. Both release branches were compromised within 39 minutes. The forensic evidence was designed to self-destruct. Supply chain attacks of this sophistication require the resources and patience of state actors and North Korea’s track record in this space is well-established.
References
- CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager
- Microsoft: Mitigating the Axios npm supply chain compromise
- Google: North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package
- StepSecurity: Axios Compromised on npm
- Axios Post Mortem: GitHub Issue #10636
This post is also available in:
Svenska
Related News
CISA Updates Akira Advisory as Ransomware Earns $244 Million
CISA issued an updated joint advisory on Akira ransomware on 13 November, warning that the group has claimed $244 million in ransom payments since March…
April 3, 2026 
