A North Korean hacking group compromised the maintainer account of the most popular JavaScript HTTP client library, injected a cross-platform remote access trojan into two versions, and had three hours before anyone pulled them down. Wiz found the malicious code in 3% of the cloud environments it scanned.

At 12:21 AM UTC on March 31, 2026, a new version of Axios appeared on the npm registry. Version 1.14.1 looked routine. The changelog was empty. The source files were untouched. But buried in the package.json was a single new dependency that had not existed 22 minutes earlier: plain-crypto-js@4.2.1.

Within six minutes, Socket's automated malware scanner flagged the release. Within 39 minutes, a second poisoned version appeared: axios@0.30.4, targeting legacy users still on the 0.x branch. By 3:29 AM UTC, both versions were gone from the registry, removed by the npm security team.

The window was three hours and eight minutes. For a package downloaded 100 million times a week, present in roughly 80% of cloud and code environments according to Wiz, that was more than enough.

Google Traced the Attack to a North Korean State Actor

On April 1, Google's Threat Intelligence Group published its attribution. The attack was the work of UNC1069, a financially motivated threat actor linked to the North Korean government. Microsoft's threat intelligence team independently confirmed the finding, tracking the same group under the name Sapphire Sleet. Other security vendors know it as BlueNoroff, Stardust Chollima, and CryptoCore.

UNC1069 has operated since at least 2018, specializing in cryptocurrency theft and financial institution targeting. John Hultquist, chief analyst at Google Threat Intelligence Group, said in a statement that "North Korean hackers have deep experience with supply chain attacks, which they've historically used to steal cryptocurrency."

The technical evidence was specific. The macOS binary dropped by the malware contained a developer build path referencing Jain_DEV/client_mac/macWebT/macWebT, a direct link to BlueNoroff's "webT" module used in the RustBucket and Hidden Risk malware campaigns in 2023. The attacker also used an AstrillVPN node previously associated with North Korean cyber operations.

The Attack Exploited a Compromised Maintainer Account

The attackers did not find a vulnerability in Axios itself. They compromised the npm account belonging to @jasonsaayman, a maintainer with publishing rights to the Axios package. Elastic Security Labs reported that the account's registered email was changed to ifstap@proton.me, an attacker-controlled ProtonMail address. The exact method of initial account compromise has not been disclosed.

The operation was carefully staged. Eighteen hours before the attack, a "clean" version of plain-crypto-js (version 4.2.0) was published to npm, establishing a brief registry history to avoid immediate suspicion. Then, just before midnight UTC on March 30, the malicious version 4.2.1 was pushed. Twenty-two minutes later, axios@1.14.1 went live with plain-crypto-js@4.2.1 listed as a dependency.

When a developer or CI pipeline ran npm install, the package manager resolved the dependency tree, pulled the malicious package, and executed its postinstall hook automatically. No user interaction was required. No warning was displayed.

The Malware Deployed a Cross-Platform Remote Access Trojan

The post-install script, tracked by Google as SILKBELL, was an obfuscated JavaScript dropper. Snyk's researchers reverse-engineered its obfuscation: reversed Base64 encoding with padding character substitution, layered with an XOR cipher using the key OrDeR_7077 and a constant value of 333.

SILKBELL's job was to detect the operating system and deploy the appropriate payload: a backdoor that Google tracks as WAVESHAPER.V2. The malware supported macOS, Windows, and Linux with platform-specific delivery:

Platform	Payload Location	Delivery Method
macOS	`/Library/Caches/com.apple.act.mond`	C++ Mach-O binary, force-signed to bypass Gatekeeper
Windows	`%PROGRAMDATA%\wt.exe`	VBScript copies PowerShell binary, executes hidden RAT
Linux	`/tmp/ld.py`	Python RAT launched via `nohup` as orphaned background process

Once installed, WAVESHAPER.V2 beaconed to its command-and-control server at sfrclak[.]com (IP: 142.11.206.73) every 60 seconds, using a fake Internet Explorer 8 / Windows XP user-agent string. The backdoor supported four commands: kill (terminate process), rundir (enumerate directory listings), runscript (execute arbitrary commands), and peinject (decode and execute binaries).

Tomislav Peričin of ReversingLabs said the sophistication was deliberate: "The level of operational sophistication documented here reflects a threat actor that planned this as a scalable operation."

The Blast Radius Spans Millions of Environments

Axios is not a niche tool. It is the single most popular HTTP client library in the JavaScript ecosystem, ranked in the top 10 of all npm packages by download volume. Wiz estimated it is present in approximately 80% of cloud and code environments.

During the three-hour window, any system that ran npm install without a lockfile pinning Axios to a specific safe version would have pulled the compromised release. CI/CD pipelines that triggered builds during the window were particularly vulnerable: automated systems do not pause to review changelogs.

Wiz reported finding the malicious versions in roughly 3% of the environments it scanned. For a package this ubiquitous, 3% represents a significant number of affected systems. Any environment that executed the compromised packages should assume credential compromise, since WAVESHAPER.V2's design focused on establishing persistent remote access for data exfiltration.

The attack also spawned secondary compromises. Snyk identified two additional packages that bundled the poisoned Axios version: @qqbrowser/openclaw-qbot@0.0.130 (which contained the tampered axios@1.14.1) and @shadanai/openclaw (versions 2026.3.31-1 and 2026.3.31-2, which vendored plain-crypto-js directly).

The LiteLLM Attack Happened Six Days Earlier. The Pattern Is Accelerating.

The Axios compromise did not occur in isolation. Six days earlier, on March 24, a different threat group called TeamPCP backdoored LiteLLM, the Python library present in an estimated 36% of cloud environments and downloaded 95 million times a month. That attack exploited a compromised CI/CD pipeline. TeamPCP had spent the preceding five days hitting Aqua Security's Trivy scanner, npm packages via CanisterWorm, and Checkmarx's KICS tool.

Now a North Korean state actor has hit the JavaScript ecosystem's most fundamental HTTP library using the same category of attack: compromising trusted infrastructure to reach millions of developers at once.

CNN reported that experts responding to the Axios hack expect a "long-term campaign to steal cryptocurrency to fund the North Korean regime, which often spends such stolen money on its nuclear and missile programs."

Security researchers have started calling 2026 "the year of the supply chain," and the data supports the label. Two of the most widely used open-source libraries in the AI and JavaScript ecosystems have been compromised within a single week, by two separate threat actors, using two different attack vectors.

The Other Side of the Disclosure

The security industry's response was swift, but the underlying problem remains unsolved. npm maintainer accounts are protected by two-factor authentication, but 2FA adoption is not universal among package maintainers. npm has not disclosed whether @jasonsaayman's account had 2FA enabled at the time of the compromise.

The broader question is structural. A single compromised credential gave an attacker the ability to push code to a package installed in 80% of cloud environments. The open-source ecosystem still relies on individual maintainer accounts as the last line of defense for packages that underpin critical infrastructure worldwide.

Socket detected the attack within six minutes. The npm team removed the packages within three hours. For the open-source security ecosystem, that is a fast response. For an attacker with a cross-platform RAT and 100 million potential targets per week, three hours is a long time.

Immediate Actions for Affected Teams

If your systems ran npm install between 00:21 and 03:29 UTC on March 31, 2026:

Check whether axios@1.14.1 or axios@0.30.4 is present in any node_modules directory
Search for the plain-crypto-js package in your dependency tree
Check for IOC files: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux)
Block outbound connections to sfrclak[.]com and 142.11.206.73
If any indicator is present: rotate every credential, API key, and token accessible from the affected environment
Roll back to a safe Axios version (1.14.0 or earlier, 0.30.3 or earlier)
Organizations with lockfiles pinning Axios to a specific version were protected

The Bottom Line

A North Korean state actor hijacked the most downloaded HTTP library in the JavaScript ecosystem and had three hours to deploy a cross-platform remote access trojan before anyone stopped it. Google attributed the attack. Microsoft confirmed it. Wiz found the malicious code in 3% of the cloud environments it scanned.

The open-source supply chain now faces two simultaneous campaigns: TeamPCP targeting Python and CI/CD infrastructure, and North Korean actors targeting npm's most fundamental packages. Six days separated the LiteLLM backdoor from the Axios compromise. The tools that millions of developers trust implicitly are being used against them, and the defenses are measured in minutes, not miles.

As Hultquist put it: North Korean hackers have deep experience with this. They have been doing it since 2018. They are not stopping.

Sources

Google Attributes Axios npm Supply Chain Attack to North Korean Group UNC1069 (April 1, 2026)
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack (April 2, 2026)
Axios NPM Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT (April 1, 2026)
Axios NPM Distribution Compromised in Supply Chain Attack (March 31, 2026)
Mitigating the Axios npm Supply Chain Compromise (April 1, 2026)
North Korean Hackers Implicated in Major Supply Chain Attack (March 31, 2026)
North Korean Hackers Linked to Axios npm Supply Chain Compromise (April 1, 2026)
North Korean Hackers Bug Software Used by Thousands of US Companies in Potential Crypto Heist Attempt (March 31, 2026)
Axios npm Supply Chain Attack FAQ (April 1, 2026)
Hackers Compromise Axios, Widely Used Software Development Tool (March 31, 2026)

Practice with real Telecom & ISP data

90 SQL & Python problems · 15 industry datasets

Used by DS/ML engineers at top companies

Active Residential CustomersEasy

Unlimited Fiber Plans 500Mbps+Medium

Customer Churn Risk AssessmentHard

250 free problems · No credit card

See all Telecom & ISP problems

Free Career Roadmaps8 PATHS

Step-by-step roadmaps from zero to job-ready — curated courses, salary data, and the exact learning order that gets you hired.

Explore all career paths

Recommended Reading

Curated articles related to this topic

News

7 min

Oracle Cut 30,000 Jobs With a 6 AM Email. It Posted $6 Billion in Profit Last Quarter.

Oracle executed the largest layoff in its history, eliminating up to 30,000 employees to fund a 56 billion AI infrastructure buildout, despite posting record .13 billion in quarterly profit.

Apr 2, 2026

News

6 min

A Man Shared His Tax Returns with Perplexity. The Lawsuit Says Meta and Google Got Them Too.

A Utah man filed a proposed class-action lawsuit against Perplexity AI in San Francisco federal court on April 1, 2026, alleging the company embedded hidden tracking software that transmitted user conversations to Meta and Google. The complaint claims trackers activate upon login and operate even in Incognito mode. The plaintiff shared financial and tax information with the chatbot. This is the latest in a series of legal challenges for Perplexity, including Amazon scraping disputes and publisher copyright suits.

Apr 1, 2026

News

8 min

OpenAI Just Raised $122 Billion. Amazon Bet Half of It on a Milestone That Doesn't Exist Yet.

OpenAI completed the largest private funding round in history, raising $122 billion at an $852 billion valuation. Amazon committed $50 billion, with $35 billion contingent on an IPO or AGI milestone by 2028. Nvidia and SoftBank each invested $30 billion in phased installments. The company generates $2 billion in monthly revenue but projects a $14 billion loss for 2026, making an IPO increasingly likely by Q4 2026.

Apr 1, 2026

News

8 min

Anthropic's Revenue Nearly Doubled in Two Months. Now It's Targeting a $60 Billion IPO.

Anthropic's annualized revenue nearly doubled from $9 billion at year-end 2025 to $19 billion by early March 2026, adding $6 billion in February alone — the fastest growth trajectory in enterprise AI history. Claude Code, the company's agentic coding tool, is the primary growth driver. Anthropic is now in early discussions with Goldman Sachs, JPMorgan, and Morgan Stanley about a potential public listing as soon as October 2026 that bankers expect could raise more than $60 billion. The company's current private valuation stands at $380 billion following a February 2026 Series G round.

Mar 31, 2026

News

10 min

While Suing OpenAI, Musk Asked Zuckerberg to Help Him Buy It. The Texts Are Now Evidence.

Court filings unsealed March 31 in the $134 billion Musk v. OpenAI case reveal Elon Musk privately texted Mark Zuckerberg asking him to join a bid for OpenAI's intellectual property. The exchange occurred February 3, 2025, just seven days before Musk's xAI consortium submitted a $97.4 billion unsolicited offer. Zuckerberg declined to participate but did not publicly disclose the conversation. The texts represent a new dimension to a lawsuit Musk has framed as a crusade to protect OpenAI's nonprofit mission. Jury selection begins April 27 in Oakland.

Mar 31, 2026

News

10 min

Mistral Just Borrowed $830 Million to Buy 13,800 Nvidia Chips. Europe Is Betting It Can Build Its Own AI.

Mistral AI secured $830 million in debt financing from seven banks to build a dedicated AI data center near Paris housing 13,800 Nvidia GB300 GPUs. The facility is part of Mistral's plan to reach 200 MW of compute capacity across Europe by 2027.

Mar 30, 2026

News

10 min

Anthropic Accidentally Leaked Its Most Powerful AI Model. Cybersecurity Stocks Crashed the Next Morning.

Anthropic accidentally leaked details of Claude Mythos, a new model tier above Opus with dramatically higher cybersecurity capabilities. The leak triggered a cybersecurity stock sell-off and prompted government briefings about AI-enabled cyberattacks.

Mar 30, 2026

News

11 min

The LiteLLM Backdoor: How a Security Scanner Handed Attackers 95 Million Monthly Downloads

The TeamPCP supply chain attack on LiteLLM demonstrates how a compromised security scanner can weaponize a popular AI library against enterprise users. Attackers exploited a GitHub Actions vulnerability in Aqua Security's Trivy tool to steal PyPI publishing credentials and inject malicious code into LiteLLM versions 1.82.7 and 1.82.8. The malware utilized Python's .pth file mechanism to execute credential-harvesting scripts immediately upon interpreter startup, bypassing standard import checks. Security teams must understand how the Pwn Request vulnerability class enables lateral movement from CI/CD pipelines to production packages. Engineers can apply lessons from this incident to pin GitHub Action versions, secure PyPI tokens, and detect anomalous .pth files in Python environments to prevent similar upstream compromises.

Trump Wants to Kill Every State AI Law. Democrats Are Fighting Back.

The Trump White House's National Policy Framework for Artificial Intelligence, released March 20, 2026, proposes sweeping federal preemption to nullify AI regulations in California, Colorado, New York, and other states. This four-page document, building on Executive Order 14365, outlines seven pillars including child protection, intellectual property rights, and workforce development, while explicitly rejecting the creation of a new federal AI regulator. The framework asserts that AI model development constitutes interstate commerce, arguing that state-level liability for developers hinders American innovation. In direct opposition, House Democrats introduced the GUARDRAILS Act to block federal preemption and preserve state authority. The administration's proposal advocates for parental attestation over independent verification for age assurance and declares AI training on copyrighted material generally permissible under current copyright laws. Readers gain a detailed understanding of the conflict between federal standardization and state regulatory autonomy in the 2026 US legislative landscape.

Amazon Just Bought the Robot That Wants to Live in Your Home

Amazon's acquisition of Fauna Robotics signals a definitive shift from wheeled domestic assistants to bipedal humanoids designed for social interaction. The deal brings the Sprout robot, a 3.5-foot platform developed by former DeepMind and CTRL-labs researchers Rob Cochran and Josh Merel, under the Amazon Devices umbrella. Unlike industrial competitors from Tesla and Figure that prioritize factory strength, Sprout utilizes LED facial displays and a smaller form factor to safely navigate living rooms. This purchase follows Amazon's regulatory roadblocks with iRobot and limited traction with the Astro security robot, positioning the retail giant against 1X and Boston Dynamics in consumer robotics. Technology professionals can now analyze how Amazon intends to leverage Fauna's developer SDK and autonomous navigation stack to finally mass-produce social robotics.

Audio

Mar 26, 2026