EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

Axios npm package compromised in major supply chain attack delivering cross-platform RAT

Evidence first: scan the strongest sources, then decide whether to go deeper.

redditrss
cveexploitsmalwarethreat_actorssupply_chain_attackincident_response
Trend in the last 24h
Archive source links paid
Current signal detail is open. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (9)Get the free brief by emailStart free trial
No card needed for the free brief.
Top sources
  • Google Threat Intelligence Group
    cloud.google.com
  • CSO Online
    csoonline.com
  • Malwarebytes Threat Analysis
    malwarebytes.com
  • Attack on axios software developer tool threatens widespread compromises
    CyberScoop
  • Axios npm supply chain attack: Malicious updates add remote access trojan
    SC Media
Overview

In late March 2026, attackers compromised the npm account of Axios's lead maintainer, a widely used JavaScript HTTP client with approximately 100 million weekly downloads.

Entities
Google Threat Intelligence GroupnpmAxiosWAVESHAPER.V2
Score total
2.28
Momentum 24h
9
Posts
9
Origins
9
Source types
2
Duplicate ratio
0%
Why now
  • The attack occurred recently in March 2026 and was detected within hours, but the short window still caused significant impact.
  • Growing reliance on open-source packages increases the risk and potential damage of supply chain compromises.
  • Heightened awareness and rapid response are critical to mitigating similar future attacks.
Why it matters
  • Axios is a foundational library with 100 million weekly downloads, so compromise affects a vast developer ecosystem.
  • Supply chain attacks like this can silently spread malware across multiple platforms and environments.
  • Attribution to a North Korea-linked actor highlights ongoing geopolitical cyber threats targeting open source infrastructure.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • Attackers compromised the npm account of Axios's lead maintainer and published malicious versions containing a remote access trojan.
  • The malicious versions injected a fake dependency 'plain-crypto-js' that deployed the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux.
  • Google Threat Intelligence Group attributes the attack to UNC1069, a North Korea-linked financially motivated threat actor active since at least 2018.
How sources frame it
  • Google Threat Intelligence Group: neutral
All evidence
All evidence
Google Threat Intelligence Group
cloud.google.com
CSO Online
csoonline.com
Malwarebytes Threat Analysis
malwarebytes.com
Attack on axios software developer tool threatens widespread compromises
CyberScoop
Axios npm supply chain attack: Malicious updates add remote access trojan
SC Media
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: -Duplicates: -
Showing 5 / 0
Top publishers (this list)
  • cloud.google.com (1)
  • csoonline.com (1)
  • malwarebytes.com (1)
  • CyberScoop (1)
  • SC Media (1)
Top origin domains (this list)
  • Unknown (5)