Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 01, 2026 · 6 min read

North Korea Backdoored the npm Package Your App Probably Depends On

On March 31, 2026, a North Korean threat actor compromised the axios npm package and pushed malicious versions that deployed a cross platform backdoor on every machine that ran npm install. The attack lasted three hours.

A dark terminal screen showing npm package installation with a subtle red warning indicator

What Happened

Axios is the most widely used JavaScript HTTP client library on npm, with over 100 million weekly downloads. On March 31, 2026, an attacker gained access to the primary maintainer's npm account and published two backdoored releases: axios@1.14.1 (tagged "latest") and axios@0.30.4 (tagged "legacy"). Both versions injected a phantom dependency called plain-crypto-js that had never existed before in the npm registry.

The malicious package used a postinstall hook to silently execute an obfuscated JavaScript dropper. No user interaction was required. Anyone who ran npm install and resolved to either version during the three hour exposure window had malware executing on their machine automatically.

According to Huntress, the first confirmed infection on macOS occurred just 89 seconds after the malicious package was published. The first Windows infection followed roughly 36 minutes later.

The Attack Timeline

The operation moved fast and was over before most of the world woke up:

  • March 30, 23:59 UTC: The attacker published plain-crypto-js@4.2.1 containing the payload. A decoy version (4.2.0) had been staged 18 hours earlier to build publishing history and avoid automated scanners
  • March 31, 00:06 UTC: Socket, a supply chain security tool, flagged the package, just six minutes after publication
  • March 31, 00:22 UTC: axios@1.14.1 went live as the "latest" version on npm
  • March 31, 00:23 UTC: First macOS infection detected, 89 seconds after publish
  • March 31, 01:01 UTC: axios@0.30.4 published as "legacy"
  • March 31, ~03:29 UTC: Malicious packages removed from npm

How the Maintainer Account Was Compromised

The attacker took over the jasonsaayman npm account, the primary axios maintainer, and changed the associated email address to an attacker controlled Proton Mail address. The maintainer later stated they had two factor authentication enabled on "practically everything," but the exact method of compromise remains unknown.

A critical detail: the axios project had GitHub Actions OIDC configured for publishing, which should prevent direct npm token usage. However, the CI workflow also passed an NPM_TOKEN as an environment variable, and npm prioritizes long lived tokens over OIDC. The attacker bypassed the entire CI/CD pipeline by publishing directly via the npm CLI using this token.

The Malware: WAVESHAPER.V2

The payload deployed a cross platform remote access trojan (RAT) called WAVESHAPER.V2 that targeted macOS, Windows, and Linux. According to Google's Threat Intelligence Group, the malware enables credential theft, data exfiltration, and full remote access to compromised systems.

The macOS binary contains overlaps with previously documented DPRK linked backdoors. An internal project name "macWebT" connects to BlueNoroff's documented "webT" module from earlier RustBucket campaigns. The malware communicated with command and control infrastructure at domains including calltan[.]com and callnrwise[.]com, both previously linked to North Korean operations by Volexity researchers.

Attribution to North Korea

Google attributed the attack to UNC1069, a financially motivated North Korean threat actor active since at least 2018. Multiple intelligence firms corroborated the attribution based on code overlaps, infrastructure connections, and tactical patterns consistent with DPRK supply chain operations.

North Korea has increasingly targeted the software supply chain as a revenue source. Previous operations have included attacks on AI libraries that store API keys and VS Code project files designed to execute malware without any user interaction. The same actors also stole $280 million from Drift Protocol by targeting governance keys rather than code.

The Scale of the Problem

Axios averages over 100 million weekly downloads on npm. Within Huntress' partner base alone, at least 135 endpoints across all operating systems contacted the attacker's command and control infrastructure during the exposure window. The true number of affected machines is likely orders of magnitude larger.

The attack hit developer workstations, CI/CD pipelines, and potentially production servers. Any system that resolved to either malicious version during the three hour window should be treated as fully compromised.

What to Do Right Now

If you use axios in any project, take these steps immediately:

  • Check your package-lock.json or yarn.lock for axios@1.14.1 or axios@0.30.4. If either appears, your system may be compromised
  • Search for the dependency plain-crypto-js in your lock files. Its presence confirms exposure to the malicious payload
  • If compromised, rotate all credentials, tokens, and API keys accessible from the affected machine. The RAT includes credential theft capabilities
  • Rebuild affected systems from scratch rather than attempting cleanup. A RAT with full remote access may have altered other files
  • Update to axios@1.14.2 or later, which is the first clean release after the incident