North Korean Hackers Compromise Axios npm Package in Major Supply Chain Attack
North Korean Hackers Compromise Axios npm Package in Major Supply Chain Attack
On March 31, 2026, the widely-used JavaScript library Axios fell victim to a sophisticated supply chain attack orchestrated by the North Korean state-sponsored group known as Sapphire Sleet. This incident underscores the escalating threats targeting software supply chains and the critical need for robust security measures.
Details of the Attack
Axios, a popular HTTP client for JavaScript applications with over 70 million weekly downloads, became the focal point of this attack. The adversaries successfully compromised the npm account of a primary Axios maintainer, enabling them to publish malicious versions of the package—specifically versions 1.14.1 and 0.30.4—to the npm registry. These trojanized packages contained covertly injected dependencies designed to execute a second-stage Remote Access Trojan (RAT) during the installation process.
The malicious code was engineered to establish communication with command and control (C2) servers operated by Sapphire Sleet, facilitating unauthorized access and potential data exfiltration from systems where the compromised Axios versions were installed. Notably, the attack required no user interaction beyond the standard npm install command, leveraging the post-install script mechanism to achieve automatic code execution.
Attribution to Sapphire Sleet
Microsoft's Threat Intelligence team attributed this campaign to Sapphire Sleet, a North Korean state-sponsored threat actor with a history of targeting cryptocurrency and financial sectors. The group's tactics, techniques, and procedures (TTPs) align with those observed in previous campaigns, including the use of supply chain compromises to distribute malware.
In their analysis, Microsoft highlighted the strategic nature of the attack, emphasizing that by compromising a widely-used package like Axios, the threat actors could achieve broad distribution of their malicious payload, potentially impacting a vast number of systems globally.
Impact and Response
The compromised Axios versions were live on the npm registry for approximately three hours before being identified and removed. During this window, any developer or organization that installed or updated Axios could have inadvertently introduced the malicious code into their systems.
In response to the incident, the Cyber Security Agency of Singapore (CSA) issued an advisory urging organizations to enforce strict governance over their internal development environments. The advisory emphasized the importance of securing software supply chains and development workflows to mitigate such risks.
Mitigation and Best Practices
To protect against similar supply chain attacks, organizations are advised to implement the following measures:
- Verify Package Integrity: Before installing or updating packages, verify their integrity by checking checksums and signatures. Utilize tools that can detect and alert on unexpected changes in package versions or dependencies.
- Implement Least Privilege Access: Restrict access to package manager accounts and repositories to only those who require it. Regularly review and update access controls to minimize the risk of account compromise.
- Monitor for Suspicious Activity: Continuously monitor development environments and CI/CD pipelines for unusual activities, such as unexpected package updates or installations, which could indicate a compromise.
- Educate Developers: Provide training to developers on the risks associated with third-party packages and the importance of scrutinizing dependencies before inclusion in projects.
- Maintain an Updated Software Bill of Materials (SBOM): Keep an up-to-date inventory of all software components and dependencies used within the organization to facilitate quick identification and response to vulnerabilities.
By adopting these practices, organizations can enhance the security of their software supply chains and reduce the risk of similar attacks in the future.
Conclusion
The compromise of the Axios npm package by North Korean hackers serves as a stark reminder of the vulnerabilities inherent in modern software supply chains. As threat actors continue to evolve their tactics, it is imperative for organizations to proactively implement comprehensive security measures to safeguard their development environments and protect against such insidious attacks.
For more detailed information on this incident and mitigation strategies, refer to the following sources: