WASHINGTON — On March 31, 2026, North Korean hackers compromised Axios — one of the most widely used software packages in the world. Within two seconds of installation, the malware was already phoning home to attackers. Within three hours, security researchers caught it. But the damage window was enough.
This isn’t just another cybersecurity story. This is a template for how nation-state hackers can weaponize the software supply chain to reach millions of targets simultaneously.
What Happened
Hackers linked to North Korea’s UNC1069 group — a financially motivated operation active since 2018 — hijacked the npm account of a primary Axios maintainer. They changed the account’s email to an attacker-controlled ProtonMail address, locked out the legitimate developer, and published two poisoned versions of the package.
Axios is downloaded over 100 million times per week. It’s the most popular JavaScript library for making HTTP requests — meaning it’s embedded in countless websites, apps, enterprise systems, and cloud services worldwide.
The attackers didn’t modify Axios itself. Instead, they slipped in a hidden dependency called “plain-crypto-js” that executed automatically during installation. The malicious code deployed a cross-platform backdoor called WAVESHAPER.V2 capable of stealing credentials, moving through networks, and executing additional payloads on Windows, macOS, and Linux systems.
Security researchers are calling this “among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.”
Why This Is Different
Most cyberattacks require a victim to click something, download something, or make a mistake. This one required nothing. If your system ran “npm install” during the three-hour window, you were compromised — automatically, silently, with no user interaction required.
The malware self-destructed after deployment, replacing its own files with clean versions to avoid detection. Every artifact was designed to erase its tracks.
North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency to fund weapons programs and evade sanctions. But the implications here go far beyond crypto theft.
The Blast Radius
Google’s Threat Intelligence Group warned that “hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks.” The downstream effects could include:
• Further software supply chain attacks using stolen credentials
• Compromises of SaaS environments leading to customer breaches
• Ransomware and extortion events
• Cryptocurrency theft at scale
Any organization that installed the compromised Axios versions — or used software that depends on Axios — should assume their system is compromised.
The Bigger Picture
Open-source software powers the modern internet. It’s free, widely trusted, and maintained by volunteers who often don’t have enterprise-level security resources. That trust is the vulnerability.
When hackers can compromise a single maintainer account and reach millions of downstream users instantly, the economics of cyberattacks shift dramatically. One successful breach becomes a weapon of mass digital destruction.
This attack should be understood as a template, not a one-time event. The sophistication documented here — pre-staged payloads built for three operating systems, a decoy package established 18 hours in advance, automatic self-destruction — represents the new baseline for nation-state software supply chain operations.
What You Should Do
If you’re a developer or run systems that use npm packages:
• Audit your dependency trees for compromised Axios versions (1.14.1 and 0.30.4)
• Pin Axios to a known safe version in your package-lock.json
• Check for the presence of “plain-crypto-js” in your node_modules
• Rotate all credentials on potentially affected systems
• Block the C2 domain (sfrclak[.]com) and associated IP addresses
If you’re everyone else: understand that the software running your favorite apps, websites, and services is built on a foundation of trust that just got exploited at industrial scale.
This story is developing. Security researchers continue to assess the full scope of the compromise.