Ever wonder if that ‘npm install axios’ you ran last week handed your machine to Pyongyang?
Axios npm package compromised—that’s the stark reality hitting JavaScript devs worldwide. On March 30, 2026, versions 1.14.1 and 0.30.4 got hijacked via a maintainer’s account takeover. Attackers pushed tainted updates that look legit, bundling a nasty remote access trojan (RAT) firing up on install.
Sophos sniffed this out first—their telemetry lit up around 00:45 UTC on March 31. By 01:00, it spread wide across MacOS, Windows, Linux. No big follow-on chaos yet, but the damage? Cross-platform payloads phoning home to a C2 server for second-stage nasties.
How the Axios NPM Heist Unfolded
Picture this: legit maintainer account falls. Boom—malicious deps slip in. The RAT cleans up after itself, swaps metadata to dodge forensics. Smart. Sneaky.
It pulls a ‘plain-crypto-js-4.2.1.tgz’ dependency that’s pure poison. Install triggers setup.js, which grabs platform-specific payloads. Windows gets a PowerShell RAT; macOS a ‘com.apple.act.mond’ daemon; Linux an ld.py script. All chatting back to attacker servers.
Sophos Counter Threat Unit dug deep. Artifacts match NICKEL GLADSTONE, North Korea’s revenue arm for the regime. Same C2 patterns, forensic fingerprints, exclusive malware ties. Highly likely? That’s their call—and it sticks.
CTU™ analysis of the Axios npm compromise revealed artifacts linked to previous activity attributed to the NICKEL GLADSTONE threat group. This state-sponsored group focuses on generating revenue for the North Korean regime.
Here’s my take: this isn’t random script-kiddies. It’s statecraft via supply chain, echoing SolarWinds 2020 but in JS land. Back then, nation-states hit enterprises; now, every Node.js shop’s exposed. Unique angle? NPM’s 2 million packages mean one slip ripples to millions—Axios alone boasts 150k+ weekly downloads pre-breach. Market dynamic: open source’s free ride just got pricier.
Is Your Axios Install a Ticking Bomb?
Short answer: maybe. Check those versions—1.14.1, 0.30.4. Hashes don’t lie. Here’s the hit list from Sophos:
21d2470cae072cf2d027d473d168158c (MD5, axios-1.14.1.tgz)
2553649f2322049666871cea80a5d0d6adc700ca (SHA1, same)
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd (SHA256)
And for 0.30.4: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 (SHA1), 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f (SHA256).
Plus payloads: system.bat on Windows (f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd SHA256), macOS’s com.apple.act.mond (92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a), Linux ld.py.
Run npm ls axios. Vulnerable? Nuke it. Update to clean versions. Scan logs for odd outbound traffic—those Sophos protections like JS/Agent-BLYB or Troj/PSAgent-CN flag it.
Organizations, wake up. Devs treat deps like air—ubiquitous, unchecked. But here’s the editorial jab: NPM’s maintainer model? Fatally trusting. No mandatory 2FA, no scoped publishes. This breach screams for registry overhauls, or we’re replaying this quarterly.
Why North Korea Loves NPM—and What It Means for Markets
NICKEL GLADSTONE isn’t new. They peddle fake IT gigs, steal crypto, now this. Revenue for Kim’s coffers—RATs enable data theft, ransomware precursors.
JS ecosystem? Goldmine. Node.js powers Netflix, Uber, LinkedIn. Axios? In 80% of surveys as top HTTP lib. Compromise it, you own the web.
Market ripple: stock dips for npm Inc. (GitHub-owned)? Nah, but enterprise security budgets spike. Expect vendor lock-in pushes—Verdaccio alternatives, private registries boom. Prediction: by Q3 2026, NPM mandates 2FA for maintainers, or forks proliferate.
And devs? Shift left harder. Tools like Socket.dev, npm audit—use ‘em. But corporate hype alert: don’t buy ‘zero-trust supply chain’ snake oil without audits.
Sophos urges log reviews, updates. Smart. But broader? Train teams on maintainer hygiene—rotate keys, monitor publishes.
This Axios hit exposes JS’s underbelly. Billions in code, pennies in security. Fix it, or Pyongyang cashes in.
The Bigger Supply Chain Reckoning
Remember Codecov 2021? Bash uploader tampered—CI/CD nightmare. XZ Utils 2024? Near-RCE in Linux. Pattern: insiders or takeovers.
Axios accelerates the panic. NPM’s scale dwarfs them—3.5M packages, zero vetting.
Bold call: expect SEC filings mandating OSS audits by 2027. Boards freak over nation-state vectors. Insurance premiums? Through the roof for unpatched deps.
Protections matter: Sophos lists JS/Agent-BLYB, OSX/NukeSped-CB. Hunt those IOCs—but IPs rotate, so behavioral hunts win.
Devs, audit now. Or risk your fleet becoming DPRK puppets.
🧬 Related Insights
- Read more: Post-it Note Fiasco: How Gym Treadmills Became ’80s Hack Targets
- Read more: 78% of UK Factories Cyber-Slammed Last Year – Boards Yawn
Frequently Asked Questions
What versions of Axios NPM were compromised?
1.14.1 and 0.30.4—check hashes against Sophos indicators.
How do I detect Axios malware on my system?
Scan for listed hashes, review npm ls, hunt C2 traffic via logs. Use Sophos detections like Troj/PSAgent-CN.
Is North Korea behind the Axios NPM attack?
Sophos CTU attributes it to NICKEL GLADSTONE with high confidence—matching artifacts and patterns.
