StepSecurity's AI Package Analyst and Harden-Runner detected the compromise of axios — the most downloaded npm package with 100M+ weekly downloads — in real time before any public disclosure. The malicious versions (1.14.1 and 0.30.4) contained a hidden dependency that installed a remote access trojan and phoned home to a C2 server. A state-sponsored North Korean threat actor (UNC1069/Sapphire Sleet) had compromised the maintainer's machine via social engineering, stealing npm and GitHub credentials. When StepSecurity created GitHub issues to warn the community, the attacker deleted them roughly 20 times before GitHub suspended the compromised account. The team coordinated a midnight community call that drew 200 live attendees, notified enterprise customers, and worked with npm and GitHub to remove malicious packages. The attack was subsequently attributed to North Korea by Google Threat Intelligence and Microsoft, and covered by Bloomberg, TechCrunch, and others.
Table of contents
The AlertVerifying the UnknownSounding the AlarmThe Threat Actor Strikes BackWorking With the CommunityThe Ripple EffectMedia CoverageA Community ConfirmationThe Bigger PictureSort: