Axios is the most popular JavaScript HTTP client library, and it gets more than 400 million downloads a month on NPM This article explores attack axios stand. . The attack seems to have started when the lead maintainer's account, "jasonsaayman," was hacked.

The packages were live for a few hours (about three hours for both Axios versions) before NPM completely got rid of all signs of the campaign. Google told ZeroOwl that the attack was likely done by a North Korean hacker group called UNC1069. The full scope of the event is still unclear, but Google thinks it will have a big effect. It's important to remember that North Korea has done this before.

Feross Aboukhadijeh, CEO of Socket, says, "Axios lives in developer environments that hold source code, deploy keys, and cloud credentials that a cryptominer doesn't need." There are a few things that make the attack on Axios stand out. The bad dependency was set up 18 hours before it happened.

Within 39 minutes of each other, both release branches were poisoned. This is one of the most technically advanced supply chain attacks ever recorded against a top-10 npm package. Endor Labs security researcher Peyton Kennedy says, "This looks like planned, deliberate tradecraft from an experienced threat actor." He says, "A quiet, traceless compromise of a developer's machine is a fundamentally different risk than something loud that gets patched fast."

StepSecurity's Ashish Kurmi says, "What makes this so interesting is that it would be DPRK's first successful compromise of an open source package." He calls it "precision" and "operational tradecraft," not a script. "It's a different kind of escalation: staged dependency seeding to get around scanners, platform-specific payload chains, and self-deleting anti-forensic cleanup," he says.