North Korean hackers from the UNC1069 group hijacked the axios npm package – downloaded 100 million times per week – and distributed the WAVESHAPER.V2 remote access trojan for three hours on March 31, 2026. The breach has reignited a fierce debate about open-source software supply chain security and the $14.2 billion ecosystem that underpins almost every modern web application.

Last updated: April 10, 2026

What Happened: A 3-Hour Window That Exposed Millions of Developers

At 00:21 UTC on March 31, 2026, two malicious versions of the axios npm package – version 1.14.1 and version 0.30.4 – appeared on the npm registry. The attacker had compromised the GitHub account of Jason Saayman, one of the package’s primary maintainers, approximately two weeks earlier through a sophisticated social engineering campaign. The compromised versions contained a hidden dependency called plain-crypto-js v4.2.1, which executed a post-install script that downloaded platform-specific payloads from a command-and-control server at sfrclak[.]com (IP: 142.11.206.73).

The malicious code remained live for approximately three hours before security firm StepSecurity detected the anomaly and npm pulled the tainted versions at 03:20 UTC. In that narrow window, however, the damage potential was enormous. Axios is one of the most depended-upon packages in the entire JavaScript ecosystem, with roughly 100 million weekly downloads and presence in approximately 80% of cloud and enterprise development environments. Any developer or CI/CD pipeline that ran npm install during those three hours could have pulled the compromised version automatically.

Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069, a financially motivated North Korean threat actor that has been active since at least 2018. The group’s primary focus has historically been cryptocurrency theft and targeting decentralized finance platforms, but this attack represented a significant escalation in both scope and sophistication.

Inside the UNC1069 Social Engineering Campaign

The attack did not exploit a zero-day vulnerability in npm’s infrastructure. Instead, UNC1069 operators spent approximately two weeks building rapport with maintainer Jason Saayman through what appeared to be legitimate professional networking. The attackers used a combination of deepfake-enhanced video calls and AI-generated communications to establish trust, eventually convincing Saayman to participate in what he believed was a collaborative code review session.

During this interaction, the attackers attempted to get Saayman to execute a curl command that would have directly compromised his development machine. When that approach failed, they pivoted to stealing a long-lived npm access token associated with his account. Once they had the token, they changed the account’s associated email address to [email protected] and published the two backdoored versions.

John Hultquist, Chief Analyst at Google Threat Intelligence Group, said in a statement: “North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far-reaching impacts.”

The social engineering playbook mirrors tactics documented across multiple North Korean cyber operations in 2025 and 2026. The United Nations Panel of Experts estimated that North Korean state-sponsored hackers stole approximately $1.7 billion in cryptocurrency during 2024 alone, and the axios compromise suggests these groups are now targeting the development infrastructure itself rather than just individual wallets or exchanges.

WAVESHAPER.V2: Technical Anatomy of the Malware Payload

The WAVESHAPER.V2 remote access trojan represents an evolution of tools previously attributed to UNC1069. The malware was delivered through the plain-crypto-js dependency, which contained a post-install script that executed automatically when npm resolved the axios package. The payload delivery mechanism was designed for cross-platform operation, with separate execution paths for macOS, Windows, and Linux systems.

On macOS – the primary target given the prevalence of Apple hardware among professional developers – the malware established persistence through a LaunchAgent configuration. On Windows, it executed via PowerShell, while Linux variants used Python-based loaders. Once installed, WAVESHAPER.V2 provided the attacker with thorough system reconnaissance capabilities, filesystem enumeration, remote code execution, credential harvesting, and the ability to exfiltrate npm tokens for potential cascading supply chain attacks.

Ami Luttwak, co-founder and CTO of Wiz, noted: “We detected the compromised axios package in approximately 3% of all environments we examined. The real concern is not just direct installations – it is the transitive dependency chain. Hundreds of packages depend on axios, and any automated pipeline that resolved dependencies during that window is potentially compromised.”

A critical feature of the malware was its self-cleaning capability. After establishing its persistence mechanism and exfiltrating initial data, the post-install script removed traces of its execution, making forensic analysis significantly more difficult for organizations that did not have thorough logging in place. The command-and-control infrastructure was routed through AstrillVPN nodes, a pattern consistent with UNC1069 operations dating back to 2020.

The npm Ecosystem: Scale of the Attack Surface

To understand the significance of this attack, it is essential to grasp the scale of the npm ecosystem. As of April 2026, the npm registry hosts over 3.2 million packages, processes approximately 2.1 billion downloads per week, and serves as the backbone of virtually every modern JavaScript and TypeScript application. A single compromised package at the top of the dependency tree can propagate malicious code to thousands of downstream projects without any action from their maintainers.

Axios sits in a particularly dangerous position within this ecosystem. According to data from Socket.dev, it is the 11th most-depended-upon package on npm, with over 115,000 packages listing it as a direct dependency. When indirect dependencies are included, the package touches an estimated 2.4 million projects. The three-hour exposure window, combined with automated CI/CD pipelines that resolve dependencies on every build, means the actual number of compromised installations could number in the tens of thousands.

Metric	Axios (2026)	npm Ecosystem Total
Weekly Downloads	~100 million	~2.1 billion
Direct Dependents	115,000+ packages	3.2 million packages total
Indirect Project Reach	~2.4 million projects	N/A
Enterprise Environment Presence	~80% of cloud environments	99%+ of JS projects
Exposure Window (March 31)	3 hours (00:21–03:20 UTC)	N/A
Wiz Detection Rate	3% of scanned environments	N/A

Historical Context: A Pattern of Escalating Supply Chain Attacks

The axios compromise is the latest – and arguably the most significant – in a series of open-source supply chain attacks that have grown in frequency and sophistication over the past eight years. Each incident has exposed deeper systemic vulnerabilities in how the global software industry manages its dependency on community-maintained code.

In 2018, the event-stream incident demonstrated the risk of maintainer handoff when a new contributor injected cryptocurrency-stealing code that affected approximately 800,000 projects. The 2021 ua-parser-js compromise saw attackers hijack a package with over one million weekly downloads to deploy cryptominers and credential stealers. In early 2022, the maintainer of colors.js and faker.js deliberately sabotaged his own packages – downloaded 14 million times weekly – in a protest against corporate free-riding on open source. And in March 2024, the xz-utils backdoor revealed a years-long, state-level infiltration of a critical Linux compression utility that was caught just days before it would have been merged into major Linux distributions.

Feross Aboukhadijeh, CEO of Socket, observed: “Each supply chain attack follows a predictable escalation curve. The event-stream attack in 2018 compromised a niche package. The xz-utils backdoor in 2024 targeted core infrastructure. Now we are seeing attacks against packages with 100 million weekly downloads. The trend is clear – attackers are going after the most impactful targets, and the open-source ecosystem has not kept pace with the threat.”

Incident	Year	Attack Vector	Weekly Downloads at Time	Exposure Duration	Attribution
event-stream	2018	Maintainer handoff	~2 million	~2 months	Unknown
ua-parser-js	2021	Account hijack	~1 million	~4 hours	Unknown
colors.js / faker.js	2022	Maintainer protest	~14 million	Days	Maintainer (deliberate)
xz-utils	2024	Long-term insider	N/A (system utility)	~2 years (build scripts)	Suspected state actor
Axios (UNC1069)	2026	Social engineering + token theft	~100 million	3 hours	North Korea (UNC1069)

Enterprise Impact: CI/CD Pipelines as the Primary Attack Vector

The axios attack highlights a fundamental vulnerability in modern software development: the automated dependency resolution that powers continuous integration and continuous deployment pipelines. Most enterprise development workflows are configured to pull the latest compatible version of every dependency on each build. When a malicious version appears in the registry, it can be automatically installed across thousands of build environments before anyone raises an alarm.

According to Sonatype’s 2025 State of the Software Supply Chain report, the average enterprise application contains 148 open-source dependencies, and the average large enterprise runs approximately 4,700 CI/CD pipeline executions per day. A three-hour window at peak development hours in the Asia-Pacific timezone – which is where the March 31 attack landed – could expose hundreds of enterprise build systems in a single organization.

The risk extends beyond the initial infection. WAVESHAPER.V2’s credential-harvesting capability means that compromised developer workstations and CI/CD runners could have leaked npm tokens, GitHub personal access tokens, cloud provider credentials, and other secrets stored in environment variables. Each stolen credential represents a potential vector for additional supply chain compromises, creating a cascading effect that security teams may spend months tracing.

Dan Lorenc, CEO and co-founder of Chainguard, commented: “The axios incident is a wake-up call for every enterprise running automated dependency resolution without integrity verification. Lockfiles, pinned versions, and provenance attestations are not optional anymore. They are critical security controls.”

The Detection and Response Timeline

The speed of detection in the axios attack represents both a success story and a cautionary tale. StepSecurity’s automated monitoring flagged the anomalous publish event within approximately two hours, and npm removed the tainted versions by 03:20 UTC – roughly three hours after the first malicious version appeared. Compared to historical incidents like the event-stream attack (which went undetected for two months) or the xz-utils backdoor (which persisted for approximately two years), this was a remarkably fast response.

However, three hours is an eternity in the context of modern software development. Automated npm audit tools, GitHub Dependabot alerts, and security scanning services began flagging the compromised versions within hours of the takedown, but by then the malicious code had already been executed in an unknown number of environments. The lack of a universal “kill switch” for npm packages – a mechanism to force immediate revocation across all caches and mirrors – meant that some organizations continued to install the compromised versions from local caches even after npm removed them from the public registry.

Maintainer Jason Saayman published a detailed postmortem within 48 hours, describing how the attackers built trust over a two-week period before executing their takeover. His transparency has been praised by the security community, but the incident has also raised uncomfortable questions about the burden placed on unpaid or underfunded maintainers who are expected to defend packages used by Fortune 500 companies against nation-state attackers.

npm Security Measures Under Scrutiny

The axios compromise has intensified scrutiny of npm’s security posture and the measures GitHub (which acquired npm in 2020) has implemented to prevent supply chain attacks. npm currently offers several security features, including two-factor authentication (2FA) for publishers, automated malware scanning, package provenance attestations via Sigstore, and granular access tokens. However, the axios attack exploited a gap in these defenses: a long-lived access token that bypassed 2FA requirements.

GitHub responded to the incident by announcing an accelerated rollout of mandatory short-lived tokens for all packages with more than one million weekly downloads, effective June 2026. The company also committed to implementing a “critical package” designation for the top 500 most-depended-upon packages, which will require additional identity verification and mandatory two-person publish approval. These measures mirror recommendations that security researchers have been advocating for since the xz-utils incident in 2024.

Critics argue these measures, while welcome, are reactive rather than proactive. The open-source security landscape still lacks a thorough solution for the fundamental trust problem: how to verify that the person publishing a package is who they claim to be, and that the code being published matches what was reviewed in a public repository. Initiatives like OWASP’s software supply chain security guidelines and the OpenSSF Scorecard project provide frameworks for evaluation, but adoption remains uneven across the ecosystem.

The $14.2 Billion Supply Chain Security Market Response

The axios attack has sent ripples through the software supply chain security market, which Gartner estimated at $14.2 billion in 2025 and projects to reach $23.6 billion by 2028. Companies specializing in dependency scanning, software composition analysis (SCA), and supply chain integrity verification have seen immediate increases in inbound demand following the incident.

Socket, which focuses specifically on detecting supply chain attacks in real time, reported a 340% increase in enterprise trial requests in the week following the axios disclosure. Snyk, valued at $7.4 billion after its 2024 funding round, announced it had detected the malicious axios versions within 90 minutes of publication and pushed automated remediation to its enterprise customers. Chainguard, which provides hardened container images with verified provenance, reported a 200% quarter-over-quarter increase in sales pipeline for Q1 2026.

The incident also drew attention to the work of StepSecurity, the firm that first detected the axios compromise. The company’s GitHub Actions security platform, which monitors for anomalous package publishing events, proved its value in the three-hour detection window. StepSecurity CEO Varun Sharma stated: “We built our detection engine specifically for this scenario – a trusted package suddenly including an unknown dependency. Automated behavioral analysis is the only way to catch these attacks at the speed they move.”

North Korea’s Evolving Cyber Operations: From Crypto Theft to Infrastructure Targeting

UNC1069 is one of several North Korean threat groups that operate under the broader umbrella of the Reconnaissance General Bureau (RGB), the country’s primary intelligence agency. While the most well-known North Korean cyber unit – Lazarus Group (tracked as APT38 by some vendors) – has focused on large-scale financial theft, UNC1069 has carved out a niche in targeting the software development supply chain, particularly packages related to cryptocurrency and decentralized finance.

Google Threat Intelligence Group has tracked UNC1069 since 2018, documenting a steady evolution in the group’s tactics. Early operations focused on spear-phishing developers at cryptocurrency exchanges. By 2023, the group had shifted to creating malicious npm packages that impersonated legitimate libraries. The axios compromise represents the group’s first known successful takeover of a genuine, widely-used package – a significant escalation that suggests access to more sophisticated social engineering capabilities, potentially including AI-generated deepfakes for video calls.

The financial motivation behind these operations is well-documented. The United Nations Security Council reported that North Korean state-sponsored hackers stole an estimated $1.7 billion in cryptocurrency in 2024, accounting for approximately one-third of all cryptocurrency theft globally. These funds are believed to directly finance North Korea’s nuclear weapons and ballistic missile programs. The axios attack, with its credential-harvesting capability targeting developer environments that frequently contain cryptocurrency wallet keys and exchange API tokens, fits squarely within this operational pattern.

Parallel Attacks: UNC6780 and the Broader npm Threat Landscape

The axios compromise did not occur in isolation. In the same period, a separate North Korean-linked group tracked as UNC6780 (also known as TeamPCP) conducted attacks targeting the Trivy vulnerability scanner, Checkmarx security tools, and the LiteLLM AI framework. According to Google’s security research team, UNC6780 stole hundreds of thousands of secrets from compromised developer environments, including API keys, cloud credentials, and proprietary source code.

The simultaneity of these campaigns suggests a coordinated escalation in North Korean cyber operations targeting the software development ecosystem. While UNC1069 and UNC6780 appear to operate as distinct units with different infrastructure and tooling, their overlapping timelines and shared focus on developer-targeting supply chain attacks indicate strategic alignment at a higher organizational level.

The broader npm threat landscape has become increasingly hostile. Sonatype’s 2025 report documented a 156% year-over-year increase in malicious packages published to npm, PyPI, and other package registries, with over 512,000 malicious packages identified across all ecosystems in 2025. The axios incident stands out not for the technique – account takeover and dependency injection are well-known attack patterns – but for the scale and prominence of the targeted package.

What Organizations Should Do Now: Immediate Remediation Steps

Security teams at organizations that may have been affected by the axios compromise should take several immediate steps. First, audit all build logs and package-lock.json files from March 31, 2026, for references to axios versions 1.14.1 or 0.30.4, or any dependency on plain-crypto-js. Second, scan developer workstations and CI/CD runners for indicators of compromise associated with WAVESHAPER.V2, including connections to sfrclak[.]com or IP address 142.11.206.73. Third, rotate all credentials – including npm tokens, GitHub PATs, cloud provider keys, and any secrets stored in environment variables – that were accessible from potentially compromised systems.

For longer-term hardening, organizations should implement lockfile enforcement to prevent automatic resolution of new package versions, enable npm’s provenance attestation checking, deploy real-time dependency monitoring through tools like Socket or Snyk, and consider adopting a private registry or caching proxy that adds an additional layer of review before external packages enter the build pipeline.

5 Predictions for Software Supply Chain Security in 2026–2027

1. Mandatory provenance attestation for critical packages by Q4 2026. GitHub’s announced “critical package” designation for the top 500 npm packages will likely expand to cover the top 5,000 packages by year-end, with npm, PyPI, and crates.io all implementing similar requirements. The EU Cyber Resilience Act, which takes effect in 2027, will further accelerate this trend.

2. AI-powered social engineering will make maintainer account takeovers more common. UNC1069’s use of deepfakes in the axios attack signals a new era of social engineering that will challenge traditional security awareness training. Expect at least two more high-profile maintainer compromises using AI-generated personas before the end of 2026.

3. The software supply chain security market will exceed $20 billion by mid-2027. The accelerating frequency and severity of supply chain attacks will drive enterprise security spending toward SCA and dependency integrity tools. Socket, Chainguard, and similar startups are positioned for significant growth, while incumbent security vendors will scramble to add supply chain capabilities through acquisition.

4. Government regulation of open-source security will expand globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been developing voluntary guidelines for open-source security since 2023. The axios incident will likely accelerate bipartisan legislative efforts to establish minimum security standards for open-source software used in critical infrastructure, following the EU’s lead with the Cyber Resilience Act.

5. A major package registry will implement mandatory code signing within 18 months. The technical infrastructure for code signing via Sigstore is already in place. The axios incident provides the political momentum needed for npm or PyPI to mandate that all published packages include verifiable signatures linked to authenticated identities, not just pseudonymous accounts.

The Open-Source Sustainability Crisis at the Heart of Supply Chain Security

Beneath the technical details of the axios compromise lies a structural problem that the technology industry has yet to resolve: the vast majority of critical open-source software is maintained by individuals or small teams with minimal funding, yet these packages form the foundation of systems operated by the world’s wealthiest corporations. Axios, despite its 100 million weekly downloads and presence in 80% of enterprise environments, is maintained primarily by volunteers.

The Linux Foundation’s 2025 Census of Open Source Software found that 74% of the 500 most critical open-source projects have fewer than three active maintainers, and 23% are maintained by a single individual. These maintainers are expected to provide enterprise-grade security against nation-state attackers – an expectation that is, by any reasonable measure, unsustainable.

Initiatives like the Open Source Security Foundation (OpenSSF), GitHub’s $10 million Security Fund, and the Sovereign Tech Fund in Germany have begun to address this gap, but the scale of funding remains a fraction of what is needed. The axios incident will likely intensify calls for a sustainable funding model – whether through corporate contributions, government investment, or new models like Tidelift’s lifter program that pays maintainers for meeting security standards.

Competitive Landscape: How Security Vendors Are Responding

The axios attack has sharpened competition among security vendors competing for the enterprise supply chain security budget. Snyk, which was the first major SCA vendor to integrate real-time npm monitoring, reported detecting the malicious axios versions within 90 minutes. Socket, which uses behavioral analysis rather than known-vulnerability databases, flagged the anomalous dependency within the first hour. Sonatype’s Nexus Lifecycle and JFrog’s Xray also pushed alerts within the first two hours.

The differentiation among these vendors is increasingly about speed of detection and quality of automated remediation rather than simple vulnerability scanning. In a supply chain attack, the traditional CVE-based approach is useless – there is no CVE to match against because the malicious code is being seen for the first time. The vendors that performed best in the axios incident were those with behavioral analysis capabilities that could detect anomalous package behavior without prior signatures.

Related Coverage

• Anthropic’s Claude Code Source Code Leak: Inside the 512,000-Line npm Packaging Error
• Cybersecurity Threats in 2026: guide
• The $96 Billion Cybersecurity M&A Wave: How Google, Palo Alto, and CrowdStrike Are Reshaping the Security Industry
• Stryker Cyberattack: Inside the Iran-Linked Handala Hack That Wiped 200,000 Devices
• Inside the Ransomware Economy: How a $20 Billion Criminal Industry Actually Works
• Zero Trust Architecture: Why Every Company Needs It in 2026

Frequently Asked Questions

Was my project affected by the axios npm supply chain attack?

If your project resolved npm dependencies between 00:21 and 03:20 UTC on March 31, 2026, and pulled axios version 1.14.1 or 0.30.4, you may have been affected. Check your package-lock.json or yarn.lock files for these specific versions and audit build logs for references to the plain-crypto-js dependency.

Who is behind the axios attack?

Google Threat Intelligence Group attributed the attack to UNC1069, a financially motivated North Korean threat actor active since 2018. The group operates under North Korea’s Reconnaissance General Bureau and primarily targets cryptocurrency and developer infrastructure.

How was the axios npm attack detected?

StepSecurity’s automated monitoring platform detected the anomalous publish event – specifically, the introduction of an unknown dependency (plain-crypto-js) in a well-established package. Detection occurred within approximately two hours of publication, and npm removed the tainted versions at 03:20 UTC.

Is axios safe to use now?

Yes. The malicious versions (1.14.1 and 0.30.4) were removed from npm within three hours. Current versions of axios, published by verified maintainers with restored account security, are safe. However, organizations should ensure they are not using cached copies of the compromised versions.

What is WAVESHAPER.V2 malware?

WAVESHAPER.V2 is a cross-platform remote access trojan (RAT) attributed to UNC1069. It provides attackers with system reconnaissance, filesystem access, remote code execution, credential theft, and self-cleaning capabilities. It was delivered through the plain-crypto-js dependency injected into the compromised axios versions.

How can I protect my projects from npm supply chain attacks?

Implement lockfile enforcement to prevent automatic resolution of new versions, enable npm provenance attestation checking, use dependency monitoring tools like Socket or Snyk, pin dependencies to specific versions in production builds, and consider deploying a private registry or caching proxy to add a review layer before external packages enter your build pipeline.