Signal
North Korean hackers compromise Axios npm package in supply chain attack
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-03-31 20:30 UTCUpdated 2026-04-01 21:00 UTC
rss
cveexploitsmalwarethreat_actorssecurity_toolingincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
On March 31, 2026, North Korean threat actors linked to the UNC1069 cluster compromised the popular Axios npm package by injecting malicious code into two backdoored versions.
Entities
GoogleMicrosoftPalo Alto NetworksAxiosGitHub ActionsJohn Hultquist
Score total
1.89
Momentum 24h
8
Posts
8
Origins
8
Source types
1
Duplicate ratio
0%
Why now
- The attack was discovered and publicly disclosed on March 31, 2026, with active malicious package versions in circulation.
- The Axios package is widely used with over 70 million weekly downloads, increasing potential impact.
- Security advisories and mitigation guidance have been issued by major vendors including Microsoft and Google.
Why it matters
- Supply chain attacks on popular open-source packages can impact millions of downstream users.
- Compromise of trusted software libraries enables stealthy deployment of malware across diverse platforms.
- Attribution to state-sponsored North Korean actors underscores geopolitical cyber threats.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- North Korean hackers linked to the Axios npm supply chain compromise
- Attackers used a long-lived NPM access token to bypass GitHub Actions OIDC-based CI/CD workflow and publish backdoored Axios package versions
- Malicious Axios versions contained a post-install script that deployed a remote access trojan targeting multiple operating systems
How sources frame it
- Google Threat Intelligence Group: neutral
- Microsoft Threat Intelligence: neutral
- Palo Alto Networks Unit 42: neutral
All evidence
All evidence
Mitigating the Axios npm supply chain compromise
Microsoft Security Blog · microsoft.com · 2026-04-01 21:00 UTC
Threat Brief: Widespread Impact of the Axios Supply Chain Attack
Palo Alto Networks Unit 42 · unit42.paloaltonetworks.com · 2026-04-01 18:30 UTC
North Korean hackers blamed for axios supply chain hack
SC Media · scworld.com · 2026-04-01 15:43 UTC
Backdooring of JavaScript Library Axios Tied to North Korea
BankInfoSecurity · bankinfosecurity.com · 2026-04-01 14:48 UTC
North Korean hackers linked to Axios npm supply chain compromise
Help Net Security · helpnetsecurity.com · 2026-04-01 14:26 UTC
Hackers Hijack Axios npm Package to Spread RATs
Infosecurity Magazine · infosecurity-magazine.com · 2026-04-01 09:00 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- Microsoft Security Blog (1)
- Palo Alto Networks Unit 42 (1)
- SC Media (1)
- BankInfoSecurity (1)
- Help Net Security (1)
- Infosecurity Magazine (1)
Top origin domains (this list)
- microsoft.com (1)
- unit42.paloaltonetworks.com (1)
- scworld.com (1)
- bankinfosecurity.com (1)
- helpnetsecurity.com (1)
- infosecurity-magazine.com (1)