Signal
Axios npm package compromised in major supply chain attack delivering cross-platform RAT
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-03-30 23:00 UTCUpdated 2026-03-31 20:45 UTC
redditrss
cveexploitsmalwarethreat_actorssupply_chain_attackincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
In late March 2026, attackers compromised the npm account of Axios's lead maintainer, a widely used JavaScript HTTP client with approximately 100 million weekly downloads.
Entities
Google Threat Intelligence GroupnpmAxiosWAVESHAPER.V2
Score total
2.28
Momentum 24h
9
Posts
9
Origins
9
Source types
2
Duplicate ratio
0%
Why now
- The attack occurred recently in March 2026 and was detected within hours, but the short window still caused significant impact.
- Growing reliance on open-source packages increases the risk and potential damage of supply chain compromises.
- Heightened awareness and rapid response are critical to mitigating similar future attacks.
Why it matters
- Axios is a foundational library with 100 million weekly downloads, so compromise affects a vast developer ecosystem.
- Supply chain attacks like this can silently spread malware across multiple platforms and environments.
- Attribution to a North Korea-linked actor highlights ongoing geopolitical cyber threats targeting open source infrastructure.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- Attackers compromised the npm account of Axios's lead maintainer and published malicious versions containing a remote access trojan.
- The malicious versions injected a fake dependency 'plain-crypto-js' that deployed the WAVESHAPER.V2 backdoor on Windows, macOS, and Linux.
- Google Threat Intelligence Group attributes the attack to UNC1069, a North Korea-linked financially motivated threat actor active since at least 2018.
How sources frame it
- Google Threat Intelligence Group: neutral
All evidence
All evidence
Attackers trojanize Axios HTTP library in highest-impact npm supply chain attack
CSO Online · csoonline.com · 2026-03-31 20:45 UTC
Attack on axios software developer tool threatens widespread compromises
CyberScoop · cyberscoop.com · 2026-03-31 16:25 UTC
Axios supply chain attack chops away at npm trust
Malwarebytes Threat Analysis · malwarebytes.com · 2026-03-31 14:53 UTC
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Mandiant Blog · cloud.google.com · 2026-03-31 14:00 UTC
Axios npm supply chain attack: Malicious updates add remote access trojan
SC Media · scworld.com · 2026-03-31 13:13 UTC
Axios npm packages backdoored in supply chain attack
Help Net Security · helpnetsecurity.com · 2026-03-31 11:54 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- CSO Online (1)
- CyberScoop (1)
- Malwarebytes Threat Analysis (1)
- Mandiant Blog (1)
- SC Media (1)
- Help Net Security (1)
Top origin domains (this list)
- csoonline.com (1)
- cyberscoop.com (1)
- malwarebytes.com (1)
- cloud.google.com (1)
- scworld.com (1)
- helpnetsecurity.com (1)