North Korean Hackers Breach Popular Axios NPM Package in Supply Chain Attack

North Korean hackers breach Axios library, compromising 3% of users with malware targeting multiple systems.

By Content Team

Apr 1, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

North Korean hackers compromised the widely-used Axios JavaScript library on March 31, 2026, publishing two malicious versions that were downloaded by roughly 3% of users before being removed three hours later. The attackers hijacked the NPM account of Axios maintainer @jasonsaayman and inserted a backdoor dependency called plain-crypto-js that deployed cross-platform malware capable of remote shell access and system reconnaissance.

With over 100 million weekly downloads, Axios is present in about 80% of cloud environments, making this breach particularly significant. The malware targeted Windows, macOS, and Linux systems and was designed to erase its tracks to avoid detection. Google attributed the attack to UNC1069, a North Korean group known for targeting cryptocurrency and DeFi platforms since 2018.

Organizations that installed the compromised versions should treat their systems as breached and immediately audit dependencies, rotate credentials, and scan for malware.

Source: SecurityWeek

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

GhostAction Supply Chain Attack Steals 3,000+ Secrets from GitHub Repositories

Dec 26, 2025

CISA Issues Urgent Warning as Hackers Exploit Critical Craft CMS Vulnerability

Mar 24, 2026

Inside the High-Stakes World of Ransomware Negotiations

Dec 30, 2025

Critical GNU Wget2 Vulnerability Lets Attackers Overwrite System Files

Jan 5, 2026