North Korean-Linked Attack Turns Axios Into a Malware Delivery Channel

Compromised Maintainer Account

The operation centered on the takeover of the npm account belonging to Axios’ lead maintainer. Once inside, the attacker published two backdoored versions of the package, 1.14.1 and 0.30.4, within a short time frame during the early hours of March 31. These releases bypassed the project’s normal publishing pipeline. Despite the presence of GitHub OIDC-based protections, reports indicate that a long-lived npm token was still accepted during publishing, effectively allowing the attacker to push malicious versions directly to the registry. The poisoned packages remained live for roughly three hours before being removed. During that window, estimates suggest hundreds of thousands of downloads, with some researchers placing the figure around 600,000, while others estimate a smaller percentage of the total user base.

Staging and Execution

Instead of modifying Axios itself, the attacker relied on a dependency injection technique. A package named plain-crypto-js@4.2.1 was introduced into the dependency tree, despite not being used anywhere in the codebase. This dependency had been staged in advance, with a clean version published hours earlier to establish legitimacy. The malicious version followed shortly before the Axios releases, minimizing suspicion during automated checks. Its only function was to execute a post-install script. Once triggered, that script deployed a remote access trojan across macOS, Windows, and Linux systems. Analysts consistently noted that there were no malicious code changes inside Axios itself, which made detection significantly harder.

Multi-Stage Malware

The payload delivered through the dependency functioned as a multi-stage remote access trojan. Across platforms, it enabled command execution, system reconnaissance, and data collection. Some reports also described capabilities for code injection and process enumeration. After execution, the malware attempted to erase its own footprint. It deleted installation artifacts and replaced its own package metadata with a clean version, effectively masking the compromise. This behavior made post-infection detection more difficult, as affected systems could appear normal on inspection.

Attribution and Links to Previous Campaigns

Attribution from multiple organizations, including Google Threat Intelligence Group, links the activity to UNC1069. Researchers pointed to overlaps with previously observed malware, including tools associated with earlier campaigns targeting cryptocurrency and technology sectors. UNC1069 has been described as financially motivated, with a history of using supply chain techniques to gain access to developer environments and extract credentials. Statements from analysts suggest the group has been active for several years and continues to evolve its methods.

Downstream Impact

The short exposure window does not necessarily limit the damage. Once installed, the malware was capable of accessing sensitive data, including credentials stored in development environments. Researchers warned that this could allow follow-on access to cloud services, repositories, and CI/CD systems. Another concern raised was indirect exposure. Because Axios is deeply embedded in modern software stacks, many systems may have pulled the compromised versions automatically, including through transitive dependencies or development tools such as IDE extensions.

This has led to warnings that organizations may not immediately realize they were affected, with potential breaches surfacing over time. Around the same time, a separate npm-related incident resulted in the leak of Anthropic’s Claude Code source code, highlighting the broader risks in developer supply chains.

A Growing Pattern Supply Chain Attacks

The Axios incident did not occur in isolation. It follows a series of recent compromises affecting developer tooling and open-source packages, including incidents involving LiteLLM and XZ Utils. Researchers increasingly describe these attacks as part of a broader shift, where threat actors focus on trusted distribution channels rather than exploiting individual vulnerabilities. In this case, the absence of malicious code in the primary package highlights how little visible change is needed to introduce risk at scale.

Conclusion

The compromise of Axios demonstrates how a single account takeover can cascade across a large portion of the software ecosystem. By combining staged dependencies, installer-based execution, and anti-forensic techniques, the attacker was able to weaponize a trusted package without altering its core code. While the malicious versions were quickly removed, the nature of the attack suggests that its consequences may continue to surface over time, particularly as affected environments uncover credential exposure and secondary compromises.