A precision attack against the npm ecosystem exposed millions of developers worldwide — and your organization may still be at risk. Here is what happened, why it matters, and what to do now.
Attackers hijacked a trusted maintainer account for Axios — one of the world's most downloaded JavaScript libraries — and published poisoned versions that secretly installed surveillance software on developer machines.
This was not a software bug. It was a deliberate, pre-planned attack on the supply chain your engineers rely on daily. Stolen credentials, remote access, and persistent malware are the consequences for affected organizations.
Any team that installed Axios on March 31, 2026 between 00:21–03:20 UTC without a pinned version should treat their environment as potentially compromised and rotate all secrets immediately.
Most modern software applications are built like LEGO sets — developers assemble thousands of small, reusable building blocks rather than writing everything from scratch. One of those blocks, Axios, is a JavaScript tool that helps applications communicate over the internet. It is so widely used that it appears — directly or indirectly — in a significant fraction of every web and mobile application built today.
On March 31, 2026 (UTC), attackers gained control of the account belonging to Axios's primary maintainer and used it to publish two new versions of the library. The Axios code itself was untouched. Instead, the attackers embedded a hidden reference to a second malicious package that would automatically download and execute when any developer ran a routine install command.
Because Axios itself contained zero malicious lines of code, standard code reviews and security audits of the package would find nothing suspicious. The threat was hidden one layer deeper — in a dependency that was only flagged as malicious after it had already been downloaded millions of times. Furthermore, the malware erased its own traces after execution, so post-infection inspection of the file system appeared clean.
This attack was not opportunistic. Researchers confirmed that the malicious infrastructure was staged 18 hours in advance — a sign of careful operational planning designed specifically to evade early detection systems.
After executing, the malware replaced its own configuration with a clean decoy file and deleted all installation artifacts. A developer who inspects their project folder after the fact will find no indication anything went wrong. Running npm audit will return clean results. The only reliable detection method is inspecting lockfile history.
For executive leadership, the critical framing is this: a single compromised open-source maintainer account was enough to turn one of the most trusted tools in the software ecosystem into an attack vector reaching millions of organizations.
Cloud access keys, database passwords, API tokens, and SSH keys on any affected machine should be assumed stolen. Attackers were observed validating stolen credentials within hours.
The installed Remote Access Trojan (RAT) gives attackers ongoing, silent control — not just a one-time data grab. They can return, move laterally across your network, and escalate privileges.
Automated build pipelines that run without pinned dependencies are high-value targets. A compromised build environment can propagate infections downstream to your products and customers.
Packages that themselves depend on Axios extended exposure far beyond direct users. Mandiant's CTO noted the attack "extends to other popular packages that have dependencies on it."
For engineering and security teams, this incident illustrates a class of supply chain attack where the infection vector is the install step itself, not the application runtime. The mechanism relied on npm's postinstall hook — a feature that allows packages to run arbitrary scripts the moment they are downloaded.
The malicious dependency used two layers of obfuscation to evade static analysis tools. It then checked the host operating system and downloaded a tailored payload: a VBScript/PowerShell combination on Windows, and a binary dropper on macOS and Linux. After execution, it replaced its own package.json with a clean decoy and removed all traces.
Organizations that committed lockfiles (package-lock.json or yarn.lock) before the malicious versions were published, and whose install process did not update the lockfile, were not affected. Pipelines that disable postinstall scripts were also protected. This validates two widely recommended but often skipped security controls.
Google Threat Intelligence Group (GTIG) has attributed this attack to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. The malicious dropper deploys a backdoor tracked as WAVESHAPER.V2 — an updated version of malware previously used by this group. UNC1069 has historically used supply chain attacks to steal cryptocurrency and cloud credentials. John Hultquist, Chief Analyst at GTIG, stated that given the popularity of the compromised package, the incident is expected to have "far reaching impacts."
| Risk Area | Severity | Description |
|---|---|---|
| Credential Theft | CRITICAL | Cloud keys, API tokens, SSH keys, and database passwords on any affected machine should be assumed stolen and rotated immediately. |
| Remote Access (RAT) | CRITICAL | Attackers gain persistent, silent control over infected systems. This is not just a data leak — it is a live, ongoing intrusion. |
| Invisible Footprint | HIGH | The malware self-destructs after execution. Standard auditing tools return clean results, making detection extremely difficult after the fact. |
| Pipeline Compromise | HIGH | CI/CD systems without pinned versions or postinstall controls are directly exposed — and a compromised build pipeline can infect downstream products. |
| Transitive Exposure | HIGH | Organizations that do not use Axios directly may still be affected through packages that depend on it as a transitive dependency. |
| Cross-Platform Reach | MEDIUM | Separate payloads were crafted for Windows, macOS, and Linux. No operating system provides inherent protection against this attack class. |
/Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux).sfrclak[.]com and IP address 142.11.206.73 on port 8000.