← Blog · · Nick Stocks

Axios Has 100 Million Weekly Downloads. North Korea Backdoored It in 39 Minutes.

On March 31, a North Korea-linked threat actor hijacked the Axios npm maintainer account and published two backdoored versions within 39 minutes. The cross-platform RAT payload targeted every OS. Axios sits underneath virtually every AI agent framework, MCP client, and workflow automation tool in production today.

Security Supply Chain npm AI Infrastructure MCP North Korea

Yesterday — March 31, 2026 — a North Korea-linked threat actor hijacked the npm account of an Axios maintainer and published two backdoored versions of the most widely used HTTP client in the JavaScript ecosystem.

Axios has over 100 million weekly downloads. It sits underneath LangChain, OpenAI's SDK, dozens of MCP clients, and virtually every Node.js application that makes an HTTP request. If you're running AI agents in production, your dependency tree almost certainly includes it — even if you never installed it directly.

The malicious versions were live for approximately three hours before detection and removal. In that window, every npm install that resolved to [email protected] or [email protected] silently installed a cross-platform remote access trojan.

This is not a theoretical risk. This is what happened yesterday.

What Happened

At 00:21 UTC on March 31, an attacker published [email protected] using a compromised maintainer account (jasonsaayman). Thirty-nine minutes later, they published [email protected] — targeting both the current and legacy version lines simultaneously.

Both versions introduced a single new dependency: [email protected]. This purpose-built package contained a postinstall hook that downloaded and executed platform-specific stage-2 implants from sfrclak[.]com:8000.

According to Aikido's analysis, the attacker deployed three parallel RAT implementations — one for Windows, one for macOS, one for Linux — all sharing an identical C2 protocol and beacon behavior.

The attack was detected and the packages were removed from npm approximately two to three hours later.

Attribution

Google's Threat Intelligence Group (GTIG) attributes this attack to UNC1069, a financially motivated North Korean threat actor active since at least 2018. The attribution is based on the use of WAVESHAPER.V2, an updated variant of malware previously deployed by this group.

UNC1069 targets cryptocurrency platforms, fintech companies, and SaaS providers. SANS confirms the RAT's credential harvesting behavior: it swept environment variables, .env files, SSH keys, cloud provider credentials, and API tokens from compromised systems.

This is a state-backed operation targeting the foundational dependency layer of the JavaScript ecosystem.

Why This One Is Different

We've written about supply chain attacks three times in the past two weeks. Each of those targeted AI-specific infrastructure — Trivy, LiteLLM, LangChain, Telnyx. Tools that sit in the AI layer of the stack.

Axios is not in the AI layer. Axios is underneath the AI layer.

Every AI agent framework that makes HTTP calls depends on a library like Axios. Every MCP client that connects to a remote server sends its requests through an HTTP library. Every workflow automation tool — n8n, Zapier integrations, custom agent orchestrators — uses HTTP to talk to the world.

When TeamPCP compromised LiteLLM, they got access to LLM API keys. When they hit Trivy, they got CI/CD secrets. Both attacks were severe, but both had a defined blast radius: organisations using those specific tools.

When someone compromises Axios, the blast radius is the entire JavaScript ecosystem.

Here's the uncomfortable math. The TeamPCP campaign has now demonstrated a clear pattern: compromise a popular package, harvest the credentials from everyone who installs it, use those credentials to compromise the next package. Each victim becomes the vector for the next attack.

Elastic Security Labs documented the full attack chain:

  1. Compromised maintainer account → published malicious package
  2. postinstall hook downloads platform-specific RAT
  3. RAT sweeps credentials (env vars, .env files, SSH keys, cloud tokens)
  4. Stolen credentials enable lateral movement to other packages and services

If the Axios RAT harvested credentials during its three-hour window, we should expect those credentials to appear in follow-on attacks in the coming days and weeks — just as the Trivy credentials fueled the Checkmarx, LiteLLM, and Telnyx compromises.

The AI Agent Angle

This matters more for AI agent deployments than for typical web applications, for two reasons.

First: AI agents aggregate credentials. A typical web server might have a database URL and an API key or two. An AI agent orchestrator — or an MCP hub — might have credentials for a dozen different services: LLM providers, vector databases, code repositories, Slack, email, CRM systems, internal APIs. A credential harvester on an AI agent host has a target-rich environment.

Second: AI agent supply chains are deeper than you think. When you install an MCP server or an agent framework, you're pulling in hundreds of transitive dependencies. Most teams audit their direct dependencies. Almost nobody audits the full tree. Axios appears as a transitive dependency in packages that don't mention HTTP in their descriptions.

Run npm ls axios in any Node.js AI project. Count the paths. That's your exposure surface.

What You Should Do Right Now

1. Check if you installed the compromised versions.

# Check your lockfile for the malicious versions
grep -r "[email protected]\|[email protected]" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null

Safe versions: [email protected] (last legitimate 1.x release with SLSA provenance) and [email protected] (last legitimate 0.30.x release). If you see 1.14.1 or 0.30.4 in any lockfile, assume compromise and rotate all credentials accessible from that environment.

2. Pin your dependencies.

If you're still using caret ranges (^1.14.0) for critical packages, this is the incident that should change that. Use exact versions or lockfile integrity checks. Arctic Wolf's advisory recommends enabling npm's --ignore-scripts flag in CI to prevent postinstall hooks from executing automatically.

3. Audit transitive dependencies, not just direct ones.

npm ls axios          # Show all paths to axios in your tree
npm audit signatures  # Verify package provenance

4. Treat credential rotation as mandatory after any supply chain incident in your dependency tree.

Not "if you think you're affected." If the compromised package was anywhere in your resolved dependency graph during the attack window, rotate everything: API keys, cloud credentials, SSH keys, database passwords.

The Pattern

Trivy. Checkmarx. LiteLLM. Telnyx. LangChain. Now Axios.

Six major supply chain incidents in the JavaScript and Python ecosystems in the span of two weeks. Three of them are attributed to the same North Korean threat actor group. The attacks are accelerating, the targets are getting more foundational, and the credential-chaining technique means each compromise funds the next.

The supply chain problem in AI infrastructure is not getting better. It is getting worse, faster, because every AI agent deployment expands the attack surface — more dependencies, more credentials, more integration points.

There is no single fix. But there are practices that reduce your exposure: pinned dependencies, lockfile integrity, automated vulnerability scanning, minimal credential scoping, and — critically — runtime monitoring of what your AI agents actually send over the wire. Because when the HTTP library itself is compromised, the only thing standing between your credentials and an attacker's C2 server is whether something is watching the traffic.

Three hours. That's how long the Axios backdoor was live. Long enough.