Google Threat Intelligence Group has formally attributed the March 31, 2026 Axios npm supply chain attack to UNC1069 — a financially motivated North Korean state-linked threat actor active since at least 2018. The attack compromised the npm account of Axios maintainer Jason Saayman, published two backdoored versions of the world's most popular JavaScript HTTP client library, and deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems — all within a three-hour window before the malicious packages were removed. Axios has over 183 million combined weekly downloads and is present in approximately 80% of cloud and code environments. StepSecurity called this "among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package." This is a critical cybersecurity incident with far-reaching implications for every developer, organisation, and CI/CD pipeline that ran npm install during the compromise window.
Affected products
- ·axios 1.14.1 — malicious, published 00:21 UTC March 31, 2026
- ·axios 0.30.4 — malicious, published 01:00 UTC March 31, 2026
How to Fix
Step-by-step remediation
The first step is determining whether your environment was exposed. Check your npm lock file or package tree for axios versions 1.14.1 or 0.30.4. Search your node_modules directory for plain-crypto-js — its presence confirms exposure. Check for RAT artifacts at the platform-specific paths listed in the fix guide above. If any artifact is found — do not attempt to clean the system in place. Isolate it immediately and treat every credential that was ever accessible from that machine as compromised. Rotate all API keys, tokens, GitHub credentials, SSH keys, database passwords, and cloud provider credentials without exception. Rebuild the environment from a clean state. For CI/CD pipelines, audit every run during the 00:21 to 03:29 UTC window on March 31. If any pipeline executed npm install during that window, treat the runner as compromised and rotate all secrets it had access to — including deployment keys, repository tokens, and any secrets injected as environment variables during that run. Going forward, pin your Axios version explicitly in package-lock.json, consider using --ignore-scripts in CI environments to prevent postinstall hooks from executing automatically, and delay updating to fresh npm releases by 24-48 hours to allow community scanning to detect malicious packages before they reach your environment.
What happened
The attack unfolded in carefully staged steps that demonstrate the sophisticated information security threat posed by North Korean supply chain operations. On March 30, 2026, the attacker first published a clean-looking package called plain-crypto-js@4.2.0 to npm — a trojanised copy of the legitimate crypto-js JavaScript library designed to appear legitimate to automated scanning tools. The following day at 23:59 UTC, they published plain-crypto-js@4.2.1 — the same package but now containing a postinstall hook that executes automatically on every npm install without any user interaction. Then in the early hours of March 31, the attacker used a compromised long-lived access token from the Axios maintainer account to publish two backdoored Axios versions — 1.14.1 at 00:21 UTC and 0.30.4 at 01:00 UTC — each injecting plain-crypto-js as a new runtime dependency. The digital security deception was precise: there are zero lines of malicious code inside the Axios package itself. The malicious code lives entirely in the injected dependency, making detection by npm audit and standard security scanners extremely difficult. When a developer ran npm install axios during the three-hour window, npm automatically executed the postinstall hook in plain-crypto-js, which triggered the SILKBELL dropper — an obfuscated JavaScript file called setup.js — which then detected the victim's operating system and fetched the appropriate WAVESHAPER.V2 backdoor variant from the C2 server at sfrclak[.]com.
Real-World Impact
The internet security and data security implications of this attack are severe and the full scope is still being determined. During the three-hour compromise window, approximately 3% of the Axios userbase installed the malicious versions — a number that sounds small but translates to millions of installation events given Axios's scale. The attack affects not just developers who directly depend on Axios but every project that uses Axios as a transitive dependency — which Wiz estimates includes approximately 80% of all cloud and code environments. This means the malicious package could have been installed in CI/CD pipelines, Docker builds, cloud environments, and automated dependency update systems without any human developer explicitly choosing to install it. UNC1069's primary objective based on GTIG analysis is cryptocurrency theft — the group has historically targeted crypto exchanges, DeFi platforms, and software developers with access to cryptocurrency-related infrastructure. Mandiant CTO Charles Carmakal warned that the hundreds of thousands of stolen secrets potentially circulating from this and related recent supply chain attacks "will enable more software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months." This attack also coincides with a separate supply chain campaign by UNC6780 — also known as TeamPCP — which poisoned GitHub Actions and PyPI packages from projects including Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer.
🛡️ Prevention Tips
This attack represents the highest expression of computer security risk in the modern software supply chain — a trusted, widely used package poisoned at the source through credential compromise, delivering malware that self-destructs to evade detection. The lesson for every development team is that transitive dependency security is not optional. You cannot audit only your direct dependencies — you must understand and monitor the full dependency tree. Practical infosec controls that would have limited the impact include pinning all dependency versions in lockfiles rather than using caret or tilde ranges that allow automatic minor version upgrades, running npm install with --ignore-scripts in production and CI environments to block postinstall hooks, implementing network egress filtering on CI/CD environments to prevent outbound connections to unknown domains, and using software composition analysis tools that monitor dependency trees for newly introduced packages. The use of a long-lived npm access token to compromise the maintainer account is a separate failure — npm and GitHub have been pushing short-lived token adoption for exactly this reason. If you are a package maintainer, audit your token exposure now.
FAQs
How do I check if my project installed the malicious Axios version?
Run npm list axios in your project directory. If you see version 1.14.1 or 0.30.4 in the output you installed the malicious version. Also check for plain-crypto-js in your node_modules directory — run ls node_modules | grep plain-crypto-js. If it exists your environment was exposed even if npm list no longer shows the malicious Axios version, as the dropper performs cleanup after execution.
The malicious versions were removed within 3 hours — does that mean I'm safe if I didn't install during that window?
If you did not run npm install, npm ci, yarn install, or any equivalent package resolution command between 00:21 and 03:29 UTC on March 31, 2026, you were not directly exposed by this specific attack. However check your npm cache and any Docker layer cache that may have pulled packages during this window, as cached versions may persist beyond the removal from the npm registry.
I use axios as a transitive dependency — does that count?
Yes. If any of your direct dependencies use axios and resolved to 1.14.1 or 0.30.4 during the window — even without you explicitly running npm install axios — your environment may have been exposed. Run npm list axios to check the version across your entire dependency tree.
Read Next
coruna · ios exploit
Coruna iOS Exploit Kit Linked to Operation Triangulation — Millions of iPhones at Risk
npm · strapi
36 Malicious npm Packages Disguised as Strapi Plugins Exploit Redis and PostgreSQL to Deploy Persistent Implants and Reverse Shells
north korea · dprk
$285 Million Drift Hack: North Korea's UNC4736 Spent Six Months Building Trust Before Draining Everything in 10 Seconds
openai · chatgpt
OpenAI Patches Two Critical Vulnerabilities: ChatGPT Data Exfiltration via Side Channel and Codex Command Injection Exposing GitHub Tokens
cve 2026 3055 · cve 2026 4368
CVE-2026-3055: Citrix NetScaler Critical Flaw Leaks Sensitive Memory — Patch Immediately Before Exploitation Begins
Last updated: April 1, 2026