What is the Axios npm package hijack?

Hackers compromised maintainer Jason Saayman to publish RAT-laden Axios v1.14.1 and v0.30.4 via plain-crypto-js dep. Hit 100M+ download pkg; Google links to North Korea's UNC1069.

How to check if my project has the malicious Axios versions?

Search lockfiles (package-lock.json etc.) for axios@1.14.1, @0.30.4, or plain-crypto-js. Run `npm ls`; update to v1.6.0+. Scan CI for IOCs.

Who is behind the Axios RAT attack?

UNC1069, DPRK financially motivated group using WAVESHAPER.V2. Active since 2018, per Google Threat Intelligence.

🛡️ Security Tools

North Korea Poisons Axios NPM with RATs in Bold Supply Chain Hit

A single hijacked maintainer turned Axios—the JS HTTP king with 100 million weekly downloads—into a RAT delivery vehicle. North Korean actors bet big on supply chain chaos, and it almost paid off.

Threat Digest Apr 03, 2026 4 min read

Hacker injecting malware into Axios npm package code with North Korean flag overlay

⚡ Key Takeaways

Axios hijack via maintainer compromise spreads cross-platform RATs to millions of projects. 𝕏
Check lockfiles immediately for v1.14.1, v0.30.4, or plain-crypto-js—Google warns of huge blast radius. 𝕏
North Korea's UNC1069 eyes supply chains; expect provenance mandates to combat this. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#RAT malware #axios npm hijack #npm malware #supply chain attack #unc1069

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by InfoSecurity Magazine

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

North Korean Hackers' Slick Slack Trick: Inside the Axios npm Compromise

Axios npm Poisoning: Hackers Hijack Your Dev Secrets via 100M Downloads

North Korea's UNC1069 Turns Axios NPM into Cross-Platform Trapdoor

Inside the Axios Hijack: How DPRK RATs Slipped into Dev Workflows Worldwide

Stay in the loop