Hackers Compromise 100M-Download Axios JavaScript Library in Rare Supply Chain Attack

In a brazen supply chain attack that sent shockwaves through the global software development community, hackers infiltrated the npm account of the lead maintainer for axios—a widely used JavaScript client library—and pushed malicious versions of the popular open-source tool late Sunday into Monday. With an estimated 100 million weekly downloads, axios is a cornerstone of modern web development, relied upon by developers to make HTTP requests in applications ranging from small startups to Fortune 500 enterprises. Security researchers at multiple cybersecurity firms, including Huntress, Socket, and Step Security, detected the compromise within hours, removed the infected packages, and issued urgent warnings to developers who may have downloaded the malicious versions during the brief window of exposure. The incident, which researchers describe as one of the most impactful npm supply chain attacks on record, underscores the growing sophistication and danger of supply chain threats targeting open-source ecosystems—a trend that has escalated alongside the increasing reliance on third-party code in software development.

• A hacker hijacked the npm account of the lead axios maintainer and pushed malicious versions of axios (1.14.1 and 0.30.4) with embedded remote access trojans.
• The attack injected a fake dependency, plain-crypto-js@4.2.1, which deployed a cross-platform remote access trojan on MacOS, Windows, and Linux devices.
• Security researchers estimate up to 600,000 developers may have downloaded the malicious versions during the roughly 24-hour window of exposure.
• Google Threat Intelligence attributed the attack to UNC1069, a suspected North Korean hacking group known for supply chain attacks targeting cryptocurrency theft.
• Experts urge developers to immediately pin their axios version and audit dependency lockfiles to prevent further compromise.

How the Axios Supply Chain Attack Unfolded: A Timeline of Infiltration and Discovery

The attack began late Sunday, March 30, 2025, when an unknown hacker gained unauthorized access to the npm account of the lead maintainer of axios. Using this compromised account, the attacker published two malicious versions of the library: axios@1.14.1 and axios@0.30.4. These versions did not contain any malicious code directly within the axios source code itself. Instead, they introduced a previously nonexistent dependency called plain-crypto-js@4.2.1, which was designed solely to execute a post-installation script. According to Ashish Kurmi, CTO and founder of Step Security, this script deployed a cross-platform remote access trojan (RAT) capable of infecting MacOS, Windows, and Linux systems.

The malicious dependency was staged less than 24 hours in advance, and both poisoned versions were published within the same hour, indicating a highly coordinated and precise operation. Joshua Wright, SANS Institute faculty fellow and senior technical director at Counter Hack Innovations, estimated that approximately 600,000 developers may have downloaded the compromised versions during the roughly 24-hour exposure window. Wright emphasized the severity of the breach, noting that once installed, the malware could scrape access credentials, potentially granting threat actors access to cloud services like AWS or other GitHub packages through harvested keys.

The Malicious Payload: How the Fake Dependency Operated

The plain-crypto-js@4.2.1 dependency served as a loader for the malware, bypassing traditional static analysis methods used by cybersecurity tools. The payload was designed to evade detection by renaming and deleting artifacts, effectively destroying forensic evidence and complicating incident response efforts. Feross Aboukhadijeh, CEO and founder of Socket, described the attack as a "textbook supply chain installer malware" and warned that every npm install pulling the latest version of axios during the exposure period was potentially compromised.

The Immediate Response: Security Firms and Developers Race to Contain the Damage

Within hours of the malicious versions being published, security researchers at multiple firms—including Huntress, Socket, Endor Labs, and Step Security—detected the compromise and issued alerts to the developer community. Huntress was among the first to identify and remove the poisoned packages from npm. Socket’s Aboukhadijeh issued a blunt warning on X (formerly Twitter), urging developers to "pin your version immediately and audit your lockfiles" and advising them not to upgrade to newer versions until the situation was fully assessed. The rapid response likely prevented a more widespread catastrophe, but the full scope of the breach remains unclear as organizations scramble to assess the damage.

Why Open-Source Libraries Are a Prime Target for Supply Chain Attacks

The axios attack is the latest in a growing wave of supply chain attacks targeting open-source software, where hackers compromise widely used libraries to infiltrate a broad range of downstream applications. Open-source projects like axios are particularly vulnerable because they are often maintained by small teams or individual developers who may lack the resources to implement robust security measures. Additionally, these libraries are frequently integrated into countless applications, making them an attractive target for threat actors seeking to maximize the impact of their attacks. According to the Open Source Security Foundation (OpenSSF), supply chain attacks involving open-source software increased by 742% between 2019 and 2023, highlighting the escalating threat posed by these types of incidents.

The Historical Context: North Korean Hackers and Supply Chain Tactics

Google’s Threat Intelligence Group attributed the axios attack to UNC1069, a suspected North Korean hacking group with a documented history of using supply chain attacks to achieve strategic objectives. North Korean cyber actors have been linked to high-profile attacks on cryptocurrency exchanges and financial institutions, often leveraging compromised third-party software to gain access to target networks. John Hultquist, chief analyst at Google Threat Intelligence, noted that Korean hackers have "deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency." While the full extent of the axios attack’s impact is still being assessed, Hultquist warned that the broad use of the compromised package suggests the incident could have far-reaching consequences.

The Broader Implications: What This Means for Developers and Organizations

The axios supply chain attack serves as a stark reminder of the risks inherent in relying on third-party code. Developers often unknowingly inherit vulnerabilities when they integrate open-source libraries into their projects, a practice that has become ubiquitous in modern software development. The incident highlights the need for stronger security measures, including rigorous dependency management, regular audits of lockfiles, and the implementation of tools designed to detect and block malicious packages. Organizations that fail to heed these warnings risk falling victim to similar attacks, which can result in data breaches, financial losses, and reputational damage.

For developers, the immediate takeaway is clear: pinning version numbers and auditing dependency lockfiles are no longer optional precautions but essential security practices. The axios attack also underscores the importance of verifying the integrity of npm accounts and maintaining strict access controls to prevent unauthorized publishing of packages. As open-source software continues to underpin the digital economy, the need for collective action to secure these critical resources has never been more urgent.

Lessons from Recent Supply Chain Attacks: A Pattern of Escalating Threats

The axios attack follows closely on the heels of other high-profile supply chain incidents, including the 2022 compromise of the npm package "ua-parser-js," which infected thousands of projects with cryptocurrency-mining malware, and the 2021 attack on the Codecov CI tool, which exposed the credentials of hundreds of companies. These incidents, along with the axios breach, illustrate a disturbing trend: threat actors are increasingly targeting the software supply chain as a means of gaining access to a wide range of targets with minimal effort. The rise of these attacks has prompted calls for greater collaboration between the open-source community, cybersecurity firms, and government agencies to develop more robust defenses against supply chain threats.

What Developers Should Do Now: Immediate Steps to Mitigate Risk

In the wake of the axios supply chain attack, cybersecurity experts are urging developers to take immediate action to protect their systems. The first step is to pin the version of axios used in their projects to a known-safe release, such as axios@1.6.0 or earlier, and avoid upgrading to any version published after March 30, 2025. Developers should also audit their dependency lockfiles—for example, package-lock.json or yarn.lock—to identify any instances of the malicious plain-crypto-js@4.2.1 dependency. If detected, these entries should be removed immediately, and affected systems should be scanned for signs of compromise.

Conducting a Threat Hunt: Identifying and Removing Malicious Artifacts

Security teams should conduct a thorough threat hunt to identify any systems that may have been compromised by the axios attack. This process involves checking for the presence of the malicious plain-crypto-js@4.2.1 dependency in project lockfiles, as well as scanning for any unusual network activity or unauthorized access to cloud services. Joshua Wright of the SANS Institute recommended that organizations review their GitHub keys and AWS access logs for signs of credential scraping, as the malware was designed to harvest such information. Additionally, developers should reset any credentials that may have been exposed and implement multi-factor authentication (MFA) on all critical accounts.

Strengthening Defenses Against Future Supply Chain Attacks

To prevent similar incidents in the future, developers and organizations should adopt a multi-layered approach to security. This includes using tools like Socket, which can detect and block malicious packages in real time, and implementing software composition analysis (SCA) tools to monitor dependencies for vulnerabilities. Organizations should also establish strict policies for managing npm accounts, including the use of two-factor authentication (2FA) and regular audits of maintainer permissions. Furthermore, the open-source community should prioritize the security of critical libraries by investing in automated testing, code signing, and other best practices that reduce the risk of compromise.

The Role of Government and Industry in Combating Supply Chain Threats

The axios attack has reignited calls for greater government and industry collaboration to address the growing threat of supply chain attacks. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has been working with the open-source community to develop guidelines and tools for securing software supply chains. Initiatives like the OpenSSF’s Alpha-Omega project and the Linux Foundation’s Sigstore project aim to improve the security of open-source software by providing developers with better tools and resources. However, experts argue that more needs to be done, including increased funding for open-source security and stronger enforcement of cybersecurity standards for critical infrastructure.

The Long-Term Fallout: What We Can Expect in the Coming Weeks and Months

As organizations continue to assess the damage caused by the axios supply chain attack, security researchers warn that the full impact may not be known for weeks or even months. The malware’s ability to scrape credentials and pivot to other systems means that some organizations may only discover they’ve been breached weeks after the initial compromise. Joshua Wright of the SANS Institute cautioned that "we’re going to see more and more stories about people that realize they’ve gotten breached, as today they’re trying to figure out what the impact is of that." The incident serves as a sobering reminder of the persistent and evolving threat posed by supply chain attacks, and the need for vigilance in an increasingly interconnected digital ecosystem.

Key Takeaways for Developers and Organizations

• The axios supply chain attack highlights the critical vulnerabilities in open-source software ecosystems, where a single compromised library can have cascading effects across thousands of applications.
• Developers must adopt rigorous dependency management practices, including pinning versions and auditing lockfiles, to mitigate the risk of supply chain attacks.
• The use of fake dependencies to deploy malware underscores the need for advanced detection tools that can identify and block malicious packages in real time.
• Organizations should prepare for potential fallout from the axios attack by conducting thorough threat hunts and resetting exposed credentials.
• Collaboration between the open-source community, cybersecurity firms, and government agencies is essential to developing robust defenses against future supply chain threats.

Frequently Asked Questions