Hackers Breached Axios npm by Impersonating Companies and Hijacking Maintainer Access

A recent attack on the widely used JavaScript library Axios has exposed developers to a serious supply chain breach. The incident involved malicious packages that stayed live for hours and silently infected systems.

Malicious Axios Versions Distributed Through npm

Attackers published two compromised versions of Axios, 1.14.1 and 0.30.4, which remained available for about three hours. During that window, anyone who installed or updated the package unknowingly exposed their system.

The malicious versions injected a fake dependency called plain-crypto-js, which executed a postinstall script. This script deployed a remote access trojan, giving attackers full control over affected machines.

North Korean Group Linked to the Attack

Security researchers have attributed the campaign to UNC1069, a threat group linked to North Korea. The attack stands out not just for its impact, but for the level of coordination behind it.

Instead of exploiting code vulnerabilities, attackers targeted people. They launched a sophisticated social engineering campaign aimed at npm maintainers using platforms like LinkedIn and Slack.

The attackers created fake companies with cloned branding and invited targets into realistic Slack workspaces. Inside, they staged conversations with fake profiles to build trust.

The final step involved a fake Microsoft Teams meeting, where victims saw a fabricated error message prompting them to install a supposed update. That “update” actually deployed malware.

MFA Bypassed Through Session Hijacking

Once the malware was executed, attackers gained access to npm credentials and bypassed multi-factor authentication using session hijacking techniques. This allowed them to publish the malicious Axios versions directly.

This was not an isolated incident. Multiple Node.js maintainers were targeted in a coordinated campaign focusing on high-impact packages. Attackers also used fake SDK downloads and attempted to trick users into running malicious curl commands.

Maintainers Respond and Contain the Threat

Axios maintainers quickly removed the malicious versions, reset credentials, and wiped affected systems. Additional security measures are now being implemented to prevent similar incidents.

Developers who may have installed Axios 1.14.1 or 0.30.4 should immediately audit their systems. Removing the plain-crypto-js dependency is critical, but not enough on its own.

All credentials, including npm, SSH keys, and API tokens, should be rotated. Developers should also avoid running unknown install scripts and carefully review dependencies before installing updates.

This attack highlights a growing trend of targeting developers through trusted ecosystems. In related cybersecurity developments, VoidStealer malware has been found extracting encryption keys directly from Chrome memory, while Google recently patched a new zero-day vulnerability in Chrome.

The Axios incident shows that supply chain attacks are becoming more advanced, combining technical exploits with human manipulation at scale.

Via Bleeping Computer