What is the Axios supply chain attack?

Hackers hijacked an Axios npm maintainer account, pushed malicious versions injecting a DPRK-linked RAT that hits Windows, Mac, and Linux via postinstall hooks.

How do I check if my project has the compromised Axios versions?

Run npm ls axios; if v1.14.1 or v0.30.4, uninstall, pin to safe version like 1.14.0, run npm audit fix.

Is the Axios attack linked to North Korea?

Yes—malware matches WAVESHAPER tooling tied to DPRK ops by researchers like Unit 42.

🛡️ Security Tools

Inside the Axios Hijack: How DPRK RATs Slipped into Dev Workflows Worldwide

Your next npm install could drop a North Korean RAT on your machine. That's the brutal reality for devs worldwide after the Axios supply chain attack—and it's already hit finance, tech, and healthcare.

Threat Digest Apr 03, 2026 4 min read

Diagram of Axios npm compromise injecting plain-crypto-js RAT across Windows, macOS, and Linux

⚡ Key Takeaways

DPRK hackers injected RAT via npm postinstall hooks in Axios v1.14.1/v0.30.4, hitting devs cross-platform. 𝕏
Attack evades detection with self-destruct, fake npm traffic, ancient UA—persists via OS-specific tricks. 𝕏
Echoes SolarWinds for JS; predicts SBOM push and maintainer security overhaul. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#Axios supply chain attack #DPRK hackers #DPRK malware #RAT persistence #RAT trojan #npm malware #npm security

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Palo Alto Unit 42

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Axios npm Poisoning: Hackers Hijack Your Dev Secrets via 100M Downloads

North Korea Poisons Axios NPM with RATs in Bold Supply Chain Hit

GlassWorm's Stealthy Crawl: Fake Extensions and Blockchain C2 Turn Dev Tools into Spyware Nightmares

Iran's April 1 Deadline Puts Apple, Google in Crosshairs

Stay in the loop