North Korean Hackers Compromise Axios npm Package in Major Supply Chain Attack

North Korean Hackers Compromise Axios npm Package in Major Supply Chain Attack

In a significant escalation of software supply chain attacks, the popular JavaScript library axios was compromised on March 31, 2026, leading to widespread concerns about dependency security in the developer community. The attack has been attributed to the North Korean state-sponsored group known as Sapphire Sleet.

Details of the Compromise

On March 31, 2026, malicious versions of axios—specifically versions 0.27.2 and 0.27.3—were published to the npm registry. These versions contained a covertly injected dependency that executed a second-stage Remote Access Trojan (RAT) during the npm install process. This malicious code allowed attackers to gain unauthorized access to systems utilizing the compromised versions of axios.

The attack was particularly insidious because it required no user interaction beyond the standard package installation. The post-install script mechanism in npm facilitated automatic execution of the malicious code, making detection and prevention challenging for developers.

Attribution to Sapphire Sleet

Microsoft's security team has attributed this attack to Sapphire Sleet, a North Korean state-sponsored threat actor known for targeting cryptocurrency and financial sectors. The group's focus on high-value targets aligns with the strategic objectives of the North Korean regime, aiming to generate revenue through cyber operations.

With over 70 million weekly downloads, axios is a widely used HTTP client for JavaScript, making this compromise one of the most extensive supply chain attacks in the JavaScript ecosystem to date. The widespread use of axios means that numerous applications and services could be affected, amplifying the potential impact of the attack.

Immediate Mitigation Steps

Developers and organizations using axios are urged to take the following immediate actions to mitigate the risk:

• Rollback to Safe Versions: Revert to versions of axios prior to 0.27.2. Ensure that the versions used are verified and free from malicious code.
• Remove Malicious Dependencies: Identify and remove any instances of the malicious dependency plain-crypto-js that may have been installed as part of the compromised axios versions.
• Flush npm Cache: Clear the npm cache to prevent inadvertent installation of the compromised versions from cached data.
• Rotate Credentials: Change all credentials that may have been accessible from environments where the compromised versions were installed, as they may have been exposed to the attackers.

These steps are critical to prevent further exploitation and to secure development environments against potential breaches resulting from this attack.

Broader Implications for Supply Chain Security

This incident underscores the growing threat of supply chain attacks and the need for robust security measures in software development practices. The compromise of a widely used package like axios highlights several key concerns:

• Dependency Management: The reliance on third-party libraries and packages introduces significant risks. Organizations must implement strict controls over the dependencies they use, including regular audits and verification of package integrity.
• Automated Execution Risks: Features like post-install scripts, while convenient, can be exploited by attackers to execute malicious code automatically. Developers should scrutinize such features and consider disabling them when security is a concern.
• State-Sponsored Threats: The involvement of state-sponsored actors like Sapphire Sleet indicates a strategic shift towards targeting the software supply chain to achieve broader objectives, such as financial gain or espionage.

To address these challenges, organizations are encouraged to adopt comprehensive supply chain security practices, including:

• Implementing Zero-Trust Policies: Assume that all components, even those from trusted sources, could be compromised. Verify and validate all code before deployment.
• Continuous Monitoring: Employ tools and processes to continuously monitor for unusual activities or changes in the development environment that could indicate a compromise.
• Education and Awareness: Train developers and staff on the risks associated with supply chain attacks and best practices for mitigating them.

By taking these proactive steps, organizations can enhance their resilience against supply chain attacks and protect their software ecosystems from emerging threats.

Conclusion

The compromise of the axios npm package by North Korean hackers serves as a stark reminder of the vulnerabilities inherent in modern software development practices. As supply chain attacks become more sophisticated and prevalent, it is imperative for organizations to prioritize security in their development workflows and to remain vigilant against potential threats.

For more detailed information on this incident and recommended mitigation strategies, refer to the following sources:

• Axios npm Supply Chain Attack: Why Default-Deny Execution Control Matters
• Advisory on Securing the Software Supply Chain and Development Workflows
• StepSecurity - Detect, Prevent, and Respond to Software Supply Chain Attacks