Supply chain compromise of axios npm package delivers cross-platform RATs via malicious dependency
Summary
Hide ▲
Show ▼
A financially motivated North Korea-nexus threat actor compromised the npm account of axios maintainer Jason Saayman and injected a malicious dependency (plain-crypto-js) into two legitimate axios versions (v1.14.1 and v0.30.4) to deliver cross-platform remote access Trojans (RATs) to downstream users. The attack involved pre-staged malicious code, account persistence via email modification, GitHub permission abuse to hide evidence, and direct publishing of malicious packages using stolen npm credentials, bypassing GitHub Actions-based OIDC provenance signing. Impact spans organizations worldwide due to axios’s 100M+ weekly downloads and widespread use as a dependency in CI/CD pipelines.
Timeline
-
01.04.2026 12:00 1 articles · 2h ago
Malicious axios npm packages v1.14.1 and v0.30.4 deliver cross-platform RATs via plain-crypto-js dependency
Threat actors compromised the npm account of axios maintainer Jason Saayman and published malicious versions v1.14.1 and v0.30.4 featuring plain-crypto-js as a dependency. The malicious packages bypassed legitimate GitHub Actions OIDC provenance signing by publishing directly via npm CLI with stolen credentials. Attackers modified the maintainer’s email for persistence, abused GitHub admin privileges to delete a compromise report, and deployed cross-platform RATs with obfuscation and anti-analysis features. Google Threat Intelligence Group attributed the activity to UNC1069 (North Korea-nexus) based on WAVESHAPER.V2 malware use.
Show sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
Information Snippets
-
Threat actors compromised the npm account of axios maintainer Jason Saayman and injected plain-crypto-js as a dependency into axios versions v1.14.1 and v0.30.4.
First reported: 01.04.2026 12:001 source, 1 articleShow sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
Malicious packages were published directly via npm CLI using stolen credentials, bypassing legitimate GitHub Actions OIDC provenance signing workflows.
First reported: 01.04.2026 12:001 source, 1 articleShow sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
Attackers modified Saayman’s email address for persistence and hijacked his GitHub account, deleting an issue reporting the compromise to evade detection.
First reported: 01.04.2026 12:001 source, 1 articleShow sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
Google Threat Intelligence Group (GTIG) attributed the activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2 malware variant.
First reported: 01.04.2026 12:001 source, 1 articleShow sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
The malicious payloads include platform-specific RAT binaries with obfuscation, anti-analysis techniques, and self-deletion mechanisms designed to evade modern detection.
First reported: 01.04.2026 12:001 source, 1 articleShow sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00
-
Axios is downloaded over 100 million times weekly and is used as a dependency in countless developer environments and CI/CD pipelines, amplifying the blast radius of the supply chain compromise.
First reported: 01.04.2026 12:001 source, 1 articleShow sources
- Hackers Hijack Axios npm Package to Spread RATs — www.infosecurity-magazine.com — 01.04.2026 12:00