Backdoored Axios npm Package Delivered RAT via Compromised Maintainer Account

A single compromised npm access token gave a North Korea-linked threat actor everything needed to transform one of JavaScript's most ubiquitous libraries into an active malware distribution channel, exposing a supply chain with over 100 million weekly downloads and 174,000 dependent packages to a credential-stealing RAT for more than three hours.

The operation was methodical and pre-staged. Days before the attack, the threat actor published plain-crypto-js@4.2.0, a clean copy of the legitimate crypto-js library under a new package identity, to build a plausible registry history. Then, in the early hours of March 31, 2026, using credentials seized from jasonsaayman, the lead Axios maintainer, the attacker published axios@1.14.1 and axios@0.30.4 within a 39-minute window beginning at 00:21 UTC. Both versions injected plain-crypto-js@4.2.1 as a runtime dependency, a package whose sole purpose was executing a postinstall script that dropped a cross-platform RAT capable of running on macOS, Windows, and Linux. To maximize the lockout of the legitimate owner, the attacker also changed the account email to a separate ProtonMail address, severing Jason Saayman's recovery options.

Critically, the attacker bypassed the project's own hardened publishing infrastructure. The legitimate axios@1.14.0 had been published just days earlier via GitHub Actions OIDC trusted publishing; the malicious releases went out through jasonsaayman's personal credentials, sidestepping that control entirely. The RAT beaconed to a command-and-control domain identified across multiple vendor advisories and was capable of executing arbitrary follow-on payloads, harvesting API keys, SSH keys, cloud credentials, and CI/CD secrets from any environment that ran a fresh npm install during the exposure window.

An Axios collaborator flagged the anomaly at 01:38 UTC, and Elastic Security Labs filed a formal GitHub Security Advisory at 01:50 UTC. npm removed the malicious Axios versions at 03:15 UTC and plain-crypto-js at 03:29 UTC, closing a window of approximately three hours and eight minutes. Microsoft Threat Intelligence attributed the campaign to Sapphire Sleet, a financially motivated North Korean cluster. Google Threat Intelligence tracks the same actor as UNC1069, citing overlapping infrastructure and tradecraft.

For teams assessing exposure, the first check is the lockfile. Any project whose package-lock.json, yarn.lock, or pnpm-lock.yaml was committed before the malicious versions were published and was not updated during the 00:21 to 03:29 UTC window was not affected. Lockfile adherence is the clearest single control that blocked this attack class entirely. For those exposed, the remediation path is unambiguous: audit lockfiles and node_modules directories for references to axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1, treating the presence of a plain-crypto-js directory as sufficient evidence of compromise regardless of how package.json appears. Every credential accessible from an affected environment must be revoked and reissued from a clean system, not rotated in place. Infected endpoints should not be sanitized; they should be rebuilt from known-good images. The C2 domain should be blocked at the network and DNS layers immediately.

Going forward, replacing npm install with npm ci in all CI/CD pipelines enforces lockfile adherence as standing policy. Adding the ignore-scripts flag eliminates the postinstall execution mechanism the attacker relied on, removing an entire attack class. Maintaining a software bill of materials (SBOM) for build artifacts creates an auditable dependency record before the next incident. Requiring short-lived, scoped tokens with mandatory multi-factor authentication for package publishing directly addresses the credential class of risk that made this attack viable in the first place.

The questions every security team should be putting to vendors are direct: Do your build pipelines commit and enforce lockfiles? Do you run with ignore-scripts in CI/CD? Do you have a documented, tested process for revoking credentials and rebuilding cleanly if a dependency is poisoned mid-pipeline? The Axios attack was live for less than three hours. For organizations that lacked answers to those questions before March 31, the forensic and remediation timeline will be measured in weeks.