North Korean hackers (tracked as UNC1069 by Google's Threat Intelligence Group) hijacked the npm account of the primary axios maintainer and published two malicious versions of the widely-used JavaScript HTTP client library. The attack introduced a hidden dependency (plain-crypto-js) that installed a remote access trojan targeting macOS, Windows, and Linux. The RAT could run arbitrary commands, exfiltrate data, establish persistence, and self-delete to avoid detection. With axios downloaded over 100 million times weekly and used as a transitive dependency in thousands of packages, the blast radius is significant. Security researchers describe the attack as highly sophisticated: payloads were pre-built 18 hours in advance, both release branches were poisoned within 39 minutes, and the malware contacted its C2 server within two seconds of npm install. The incident highlights that package popularity is not a proxy for trustworthiness and underscores the need for deeper software supply chain security controls.
Table of contents
Broad Blast RadiusA Sophisticated AttackPre-Built PayloadsGTIG Points to North Korean ActorPopular Doesn’t Mean TrustworthySort: