Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious versions of the highly popular Axios NPM library were distributed to millions in a fresh supply chain attack blamed on North Korean hackers.

A promise-based HTTP client that supports asynchronous API requests from Node.js and browsers, Axios is used for fetching, sending, and updating data.

With over 100 million weekly downloads, it is a top 10 NPM package and the most popular JavaScript HTTP client library, present in approximately 80% of cloud and code environments.

On March 31, 2026, just after midnight, two backdoored Axios versions were published to the NPM registry to automatically execute a payload across Windows, macOS, and Linux systems, without user interaction.

The nefarious package versions, namely 1.14.1 and 0.30.4, were removed from the registry roughly three hours later. During this window, they were downloaded by roughly 3% of the Axios userbase, Wiz says.

The backdoored iterations contained a phantom ...