StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios, the largest npm supply chain attack on a single package by download count, before any public disclosure existed. What followed was a race against a state-sponsored threat actor who actively deleted GitHub issues to suppress the warning, a decision to host a community call at midnight that drew 200 attendees, and coverage from Bloomberg to Andrej Karpathy

StepSecurity

StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios — the most downloaded npm package with 100M+ weekly downloads — in real time before any public disclosure. The malicious versions (1.14.1 and 0.30.4) contained a hidden dependency that installed a remote access trojan and phoned home to a C2 server. A state-sponsored North Korean threat actor (UNC1069/Sapphire Sleet) had compromised the maintainer's machine via social engineering, stealing npm and GitHub credentials. When StepSecurity created GitHub issues to warn the community, the attacker deleted them roughly 20 times before GitHub suspended the compromised account. The team coordinated a midnight community call that drew 200 live attendees, notified enterprise customers, and worked with npm and GitHub to remove malicious packages. The attack was subsequently attributed to North Korea by Google Threat Intelligence and Microsoft, and covered by Bloomberg, TechCrunch, and others.

Behind the Scenes: How StepSecurity Detected and Helped Remediate the Largest npm Supply Chain Attack