axios npm Hijacked by North Korea: 100M Downloads Served a RAT for 3 Hours

Between 00:21 and 03:20 UTC on March 31, 2026, anyone who ran npm install in a project using axios pulled down a version that contained a cross-platform Remote Access Trojan. The attacker had roughly three hours before the malicious packages were detected and removed. In that window, axios's 100 million weekly downloads made it one of the largest blast-radius supply chain attacks in npm history.

The attack was attributed by Google's Threat Intelligence Group to UNC1069, a North Korea-nexus financially motivated threat actor. The target was not a specific company. The target was the developer toolchain itself.

How the Attack Happened: Account Hijack via Social Engineering

The entry point was the npm account of axios's lead maintainer. The attacker did not find a vulnerability in axios's code or npm's infrastructure. They compromised the human maintainer — the most common and most effective vector for supply chain attacks on open-source projects.

Social engineering of open-source maintainers follows a documented playbook that North Korean operators have refined across multiple campaigns: build a relationship with the target over weeks or months (fake job offers, fake collaboration requests, fake security researcher personas), then at the moment of access extract credentials or convince the target to perform an action that transfers control.

Once the attacker had the npm credentials, publishing a new package version takes seconds. The malicious axios versions — 1.14.1 and 0.30.4 — appeared as routine patch releases. Nothing in the version numbers signaled anything unusual.

The Malware Chain: plain-crypto-js, SILKBELL, and WAVESHAPER.V2

The attack used a three-stage delivery chain designed to evade automated scanning.

Stage 1 — plain-crypto-js: The malicious axios versions added a hidden dependency: plain-crypto-js at version 4.2.0 or 4.2.1. This package name is designed to blend into a node_modules folder. crypto is a standard Node.js module, and packages with crypto in the name are common. The package itself does not trigger obvious static analysis alerts because the malicious logic is obfuscated and the package's stated purpose (cryptographic utilities) is plausible.

Stage 2 — SILKBELL: Inside plain-crypto-js lives an obfuscated JavaScript dropper named SILKBELL (identified as setup.js). SILKBELL's job is platform detection and payload delivery. It identifies whether the victim's machine is running Windows, macOS, or Linux, then fetches the appropriate next-stage payload from a remote command-and-control server.

Stage 3 — WAVESHAPER.V2: The final payload is WAVESHAPER.V2, an updated version of a C++ backdoor previously deployed by UNC1069 in attacks on the cryptocurrency sector. It is delivered as three different binaries depending on platform: a PowerShell-based implant for Windows, a C++ Mach-O binary for macOS, and a Python backdoor for Linux.

WAVESHAPER.V2 supports four commands: kill (terminate the malware process), rundir (enumerate directory listings), runscript (execute AppleScript, PowerShell, or shell commands), and peinject (decode and execute arbitrary binaries). The runscript and peinject commands give the attacker arbitrary code execution with whatever privileges the Node.js process was running under.

In a typical developer or CI/CD environment, that means: access to environment variables (which contain API keys, database passwords, and cloud credentials), access to local credential stores, access to SSH keys, and the ability to exfiltrate any file the process can read.

Are You Affected? How to Check Right Now

The attack window was 00:21 to 03:20 UTC on March 31, 2026. If your npm install or npm ci ran during that window and your project uses axios, you may have pulled malicious packages.

Check 1 — look for plain-crypto-js:

find ./node_modules -name "plain-crypto-js" -type d

If this returns any result, your environment is compromised. Do not run anything else on this machine.

Check 2 — check your axios version:

cat node_modules/axios/package.json | grep '"version"'

If the output is 1.14.1 or 0.30.4, you installed the malicious version. Treat the environment as compromised even if Check 1 returned nothing — the payload may have already executed and been cleaned up.

Check 3 — audit your package-lock.json or yarn.lock:

Search your lockfile for plain-crypto-js. If it appears, the dependency was resolved and installed. A lockfile entry without a corresponding node_modules folder means npm may have deduplicated it, but you should still rotate credentials.

Safe versions: 1.14.0 and earlier, 0.30.3 and earlier. Version 1.14.2 was published after the incident as a clean release. Verify its integrity against the npm registry before using it.

If You Are Compromised: What to Do

If plain-crypto-js was present in your environment, or you ran npm install during the 00:21-03:20 UTC window with an affected axios version, assume the following have been exfiltrated:

All environment variables accessible to the Node.js process at install time. This includes anything in your .env file, CI/CD secrets injected as environment variables, AWS_ACCESS_KEY_ID, DATABASE_URL, API keys — everything.

SSH private keys in ~/.ssh/ if the process had home directory access. Credential files for cloud CLIs (AWS credentials file, gcloud application default credentials, Azure CLI tokens).

Immediate actions:

1. Revoke and rotate every secret, API key, and credential that was accessible on that machine or in that CI/CD environment. Do not try to determine which specific secrets were taken — assume all of them were.
2. Audit your cloud provider for unauthorized API calls, new IAM users, new access keys, or unusual service usage starting from March 31 00:21 UTC.
3. Check for new SSH keys added to your GitHub, GitLab, or Bitbucket account.
4. If the compromise happened in a CI/CD pipeline, audit every job that ran between 00:21 and 03:20 UTC and assume its output environment is untrusted.
5. File a security incident report if your organization has one. This is a reportable event under most security frameworks.

North Korea Targeting Developer Supply Chains: The Pattern

UNC1069 has been active since at least 2018 and has historically targeted the cryptocurrency sector — exchanges, DeFi protocols, and wallet providers. The shift to targeting developer toolchain packages represents a strategic evolution: instead of attacking a specific crypto company, attack the tools that every developer in the crypto ecosystem uses.

This is the same logic that drove the 3CX supply chain attack (2023), the XZ Utils backdoor (2024), and the tj-actions GitHub Actions compromise (2025). Each attack targeted a widely-used developer tool with the goal of establishing a persistent foothold across thousands of downstream organizations simultaneously.

The axios attack is notable for its target selection. axios is present in approximately 80% of cloud and code environments — not just crypto projects. The runscript and peinject capabilities of WAVESHAPER.V2 are specifically useful for crypto wallet credential extraction, but they also work against any developer environment running cloud infrastructure credentials.

March 31, 2026 was an unusually active day for npm security incidents. The same day, Anthropic's Claude Code accidentally exposed its own source code via a misconfigured npm source map — a completely unrelated event, but the coincidence underscores how much of modern development infrastructure routes through the npm registry and how consequential a compromise of that channel is.

What This Means for npm Trust and Supply Chain Security

The axios attack will accelerate adoption of several practices that have been best-practice recommendations for years but are not yet universally implemented:

npm provenance attestation — npm now supports signed provenance for published packages, cryptographically linking a package version to a specific GitHub Actions workflow run. Packages with verified provenance cannot be published from a compromised maintainer account without the attacker also controlling the CI/CD pipeline. axios had not yet enabled provenance attestation at the time of the attack.

Lockfile integrity verification — Tools like Socket.dev, Snyk, and Wiz now scan package lockfiles for newly introduced dependencies that were not present in previous versions. A clean lockfile audit would have flagged the addition of plain-crypto-js immediately.

Dependency pinning in CI/CD — Running npm ci (which uses the lockfile exactly) rather than npm install (which may resolve newer versions) limits exposure. If your lockfile was generated before the attack window, npm ci would not have installed the malicious versions even if they were the latest.

Key Takeaways

• Malicious axios versions: 1.14.1 and 0.30.4 — published March 31, 00:21-03:20 UTC, now removed. Safe versions: 1.14.0 or 0.30.3 and earlier, or 1.14.2+
• Check for plain-crypto-js in node_modules — if found, assume full environment compromise and rotate all secrets immediately
• Attack chain: plain-crypto-js → SILKBELL dropper → WAVESHAPER.V2 backdoor — cross-platform (Windows PowerShell, macOS Mach-O, Linux Python), supports arbitrary code execution via runscript and peinject
• Attribution: UNC1069 (North Korea) — financially motivated, previously targeted crypto sector, now targeting developer toolchain for broader credential harvesting
• Entry point was maintainer account compromise — not an npm vulnerability, not a code vulnerability — social engineering of the human maintainer
• If you ran npm install during 00:21-03:20 UTC on March 31: audit cloud provider for unauthorized API calls, rotate all credentials, check for new SSH keys on your Git accounts