Cybersecurity April 1, 2026

North Korea Hijacked the World's Most-Downloaded JavaScript Library

A North Korean hacking group compromised the Axios npm package — downloaded over 100 million times per week — planting a backdoor that silently infected Windows, macOS, and Linux systems within seconds of installation. Google formally attributed the attack on April 1, 2026.

What Happened

Between 00:21 and 03:20 UTC on March 31, 2026, attackers who had seized control of a legitimate package maintainer's account published two backdoored versions of Axios — version 1.14.1 and version 0.30.4 — to the Node Package Manager (NPM) registry, according to a technical blog published April 1 by Google's Threat Intelligence Group (GTIG).

Axios is a JavaScript library used to make HTTP requests from web browsers and server-side applications. It is one of the most widely used open-source packages in existence. The two compromised versions had a combined weekly download rate of approximately 183 million at the time of the attack, according to Google's GTIG report.

The attack was classified by researchers as a software supply chain compromise — a technique in which attackers embed malicious code into a trusted software package rather than attacking end users directly.

"Every time you load a website, check your bank balance, or open an app on your phone, there's a good chance Axios is running somewhere in the background making that work," Tom Hegel, a senior researcher at SentinelOne, said to Reuters.

How the Attack Worked

The attack unfolded in two stages. On March 30, 2026, the attackers first published a malicious package called plain-crypto-js@4.2.1 to NPM, disguised as a copy of the popular crypto-js cryptography library. That package contained a postinstall script — code that executes automatically whenever the package is installed — designed to deliver a backdoor, according to Google GTIG's blog.

The attackers then compromised the GitHub and NPM accounts belonging to Jason Saayman, the primary maintainer of Axios, changing the account's associated email address to an attacker-controlled ProtonMail account to lock out the legitimate owner, according to Help Net Security. They then updated the Axios package to include plain-crypto-js as a runtime dependency.

The result: any developer who ran npm install axios@1.14.1 or npm install axios@0.30.4 automatically triggered the malicious postinstall hook. The hook deployed an obfuscated JavaScript dropper named SILKBELL, which detected the victim's operating system and downloaded platform-specific second-stage malware from a command-and-control server at sfrclak[.]com, according to Google GTIG.

According to Step Security researchers, as cited by Help Net Security, the entire process — from installation to full system compromise — took approximately 15 seconds. The dropper then deleted itself and replaced modified configuration files with clean versions, leaving no visible trace in a developer's installed packages.

The Backdoor: WAVESHAPER.V2

The second-stage payload deployed across all three operating systems was a backdoor tracked by Google GTIG as WAVESHAPER.V2. Google described it as a direct evolution of WAVESHAPER, a backdoor previously used by a North Korean threat group in attacks on the cryptocurrency sector.

WAVESHAPER.V2 supports four commands according to Google's technical blog:

kill — terminates the malware's execution
rundir — enumerates directory listings including file paths, sizes, and timestamps
runscript — executes AppleScript, PowerShell, or shell commands depending on the operating system
peinject — decodes and executes arbitrary binary payloads

The malware beacons to its command-and-control server at 60-second intervals using a hard-coded User-Agent string mimicking an outdated Internet Explorer browser. On Windows systems, it achieved persistence by adding a registry entry named MicrosoftUpdate to the Windows run key, according to Google GTIG's blog.

On macOS, the malware dropped to /Library/Caches/com.apple.act.mond, a path chosen to mimic a legitimate Apple system process. On Linux, a Python backdoor was written to /tmp/ld.py.

Attribution to North Korea

Google formally attributed the attack on April 1, 2026 to a group it tracks as UNC1069, which it described as a financially motivated North Korea-linked threat actor active since at least 2018. The attribution was based on the use of WAVESHAPER.V2, infrastructure overlaps with past UNC1069 activity, and developer build paths found within the macOS malware binary linking to code used in prior BlueNoroff campaigns, according to Google GTIG's blog and reporting by The Hacker News.

"We have attributed the attack to a suspected North Korean threat actor we track as UNC1069," John Hultquist, chief analyst at Google's Threat Intelligence Group, said in statements to both Reuters and The Hacker News. "North Korean hackers have deep experience with supply chain attacks, which they primarily use to steal cryptocurrency."

Hultquist added: "The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts."

North Korea uses stolen cryptocurrency to fund weapons programs and evade international sanctions, according to the U.S. government, as cited by Reuters.

North Korea's mission to the United Nations did not respond to a request for comment from Reuters.

Scale and Exposure Window

The two malicious Axios versions were live for approximately 2 hours 53 minutes and 2 hours 15 minutes respectively before being removed, according to Help Net Security citing Step Security researchers.

Despite the short window, the scale of exposure was significant. According to Wiz researchers cited by Help Net Security, Axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week. Wiz observed execution of the malicious code in 3% of affected environments during the window the packages were live.

The attack came days after a separate series of supply chain attacks by a different financially motivated group tracked as TeamPCP, which had targeted Aqua's Trivy security scanner, VS Code extensions published by CheckMarx, the LiteLLM AI framework, and cloud communications company Telnyx, according to Help Net Security. Mandiant CTO Charles Carmakal noted that the secrets stolen across these recent supply chain attacks would enable further downstream compromises.

What Developers Should Do

Developers who installed either axios@1.14.1 or axios@0.30.4 should assume their systems are compromised, according to Step Security, as cited by Help Net Security. Recommended steps include:

Isolate any affected system from the network immediately
Check for the presence of plain-crypto-js in node_modules — its presence confirms the dropper ran
Check for backdoor artifacts: /Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%\wt.exe on Windows, /tmp/ld.py on Linux
Rotate all credentials accessible from the affected machine: npm tokens, AWS keys, SSH keys, cloud credentials, and CI/CD secrets
Downgrade Axios to version 1.14.0 or 0.30.3 and pin the version
Block network traffic to sfrclak[.]com and IP address 142.11.206[.]73
Audit CI/CD pipeline logs for runs that installed the affected versions

Google GTIG, Elastic Security Labs, Step Security, and Wiz all published independent technical analyses of the attack with indicators of compromise.