RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: axios (2 articles)Clear
threat
2026-04-04

Axios npm attack attributed to North Korean hackers UNC1069 - part of broader campaign targeting open-source maintainers

The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.

axiosnpmnorth-koreaunc1069bluenoroffsupply-chainsocial-engineering
Check
Re-check your environments for axios 1.14.1 or 0.30.4. If you found and removed them previously, verify credential rotation was completed.
Affected
axios 1.14.1 and 0.30.4 on npm. Socket warns additional high-trust npm packages may be compromised by the same actor - monitor for advisories.
Fix
Pin to axios 1.14.0 or 0.30.3. Rotate all credentials on any system that ran the poisoned versions. Block sfrclak[.]com and 142.11.206.73 on port 8000. Enforce OIDC-backed provenance verification for critical npm dependencies.
threat
2026-03-31

Axios npm package compromised - cross-platform RAT deployed via hijacked maintainer account

Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.

axiosnpmsupply-chainjavascriptrat
Check
Check if any project or CI/CD pipeline installed Axios in the last 48 hours.
Affected
axios 1.14.1 and 0.30.4 on npm. Also @shadanai/openclaw and @qqbrowser/openclaw-qbot which bundle the same payload.
Fix
Downgrade to axios 1.14.0 or 0.30.3. Remove plain-crypto-js from node_modules. Rotate all credentials on affected systems. Block sfrclak[.]com and 142.11.206.73 on port 8000.