Axios npm package compromise attributed to North Korea

Threat summary

On March 31, Google Threat Intelligence Group (GTIG) reported that a widely used npm package, Axios, had been compromised after a threat actor gained access to a maintainer’s account and published two malicious releases. The affected Axios versions, 1.14.1 and 0.30.4, were available for approximately three hours before npm removed them.

GTIG attributed the activity to UNC1069, a North Korea-linked threat actor, based on malware code overlap, infrastructure reuse, and alignment with previously observed tactics. UNC1069 used the compromised maintainer account to add malicious dependency to a high-volume npm package.

The dependency included an automated post-install script, a feature in npm that allows code to run immediately when a package is installed. By embedding their code in this step, the attackers ensured execution without user interaction. Once triggered, the script downloaded and executed the attacker’s payloads. The group prepared payloads for multiple operating systems in advance and delivered them through infrastructure previously linked to its cryptocurrency-focused activity.

The modified dependency, plain-crypto-js, executed the post-install script that deployed a cross-platform remote access trojan, an updated variant of the WAVESHAPER malware family. The malware contacted a command-and-control server and retrieved operating system-specific components for Windows, macOS, and Linux.

After execution, it attempted to remove installation artifacts and alter package metadata to reduce detection. The attacker bypassed GitHub’s trusted publishing workflow by using a long-lived npm token associated with the maintainer account, enabling direct publication without provenance checks. A benign version of plain-crypto-js had been published earlier to establish normal package history and reduce suspicion.

Analysis

Some researchers noted possible overlap between the Axios supply chain attack and the earlier Trivy compromise, as both incidents occurred during a broader wave of supply chain attacks.

The Trivy compromise was part of a separate cluster of attacks attributed to TeamPCP, an English-speaking threat group that previously infiltrated Trivy, LiteLLM, and Telnyx. It remains unclear whether the Axios attack is related to the Trivy compromise.

SANS analysts suggested that TeamPCP may be monetizing earlier access by selling it to other groups, which could explain overlapping patterns without indicating the same operator. This remains an analytical hypothesis rather than confirmed attribution.

Axios receives more than 80 million weekly downloads and is embedded across enterprise applications, cloud services, and developer tooling. The incident created a short but high-impact exposure window for organizations relying on automated builds or unpinned dependencies.

Organizations, developers, and systems that installed Axios versions 1.14.1 or 0.30.4 between 00:21 and ~03:15 UTC on March 31, 2026, are affected, as these versions contained the malicious plain-crypto-js dependency.

Affected users can mitigate the issue by taking the following steps:

• Replace Axios versions 1.14.1 and 0.30.4 with known-good versions such as 1.14.0 or 0.30.3.
• Review build logs, dependency manifests, and installation timestamps to determine whether the compromised versions were installed.
• Rotate all secrets, tokens, and credentials present on systems or CI/CD pipelines that installed the affected versions.
• Examine network telemetry for connections to the command-and-control infrastructure used by the malicious plain-crypto-js package.
• Remove any artifacts associated with plain-crypto-js 4.2.1 and the WAVESHAPER malware variant.
• Enforce version pinning across build and deployment pipelines to prevent automatic retrieval of newly published packages.
• Monitor dependency provenance, including maintainer changes and unexpected metadata modifications.
• Strengthen access controls for internal package publishing and require multifactor authentication for developer and maintainer accounts.

Supply chain intrusions targeting open-source ecosystems continue to increase because compromising a single maintainer or dependency provides access to thousands of downstream environments.

The Axios incident demonstrates how quickly malicious code can propagate through automated build systems and how difficult it is to detect tampering when attackers exploit trusted publishing channels.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up