top of page
Search

When One Developer's Trust Became a National Security Event: The Axios npm Hack of 2026

  • Writer: Chris Coulombe
    Chris Coulombe
  • 5 days ago
  • 9 min read

On March 31, 2026, one of the most-downloaded JavaScript libraries in the world was quietly turned into a weapon. The target was Axios — an HTTP client used in everything from personal side projects to enterprise-grade production systems — and the attack vector was not a zero-day vulnerability or a brute-force intrusion. It was a conversation.

This is the story of how a nation-state threat actor weaponized human trust to compromise a package downloaded roughly 100 million times per week, and what it means for the future of software security.


What Is Axios, and Why Does It Matter?


Before diving into the attack itself, it's worth understanding the scale of what was targeted.

Axios is a promise-based HTTP client for Node.js and the browser. It is the standard choice for making API calls in JavaScript applications. It powers backend services, front-end apps, CI/CD pipelines, developer tooling, and cloud infrastructure. In many codebases, developers didn't even explicitly choose it — it arrived transitively, quietly bundled inside other dependencies. As of early 2026, Axios was seeing approximately 100 million downloads per week on npm, making it one of the most critical pieces of shared infrastructure in the entire software ecosystem (Aikido Security, 2026).

When something that widely used gets compromised, the blast radius is not measured in users — it is measured in industries.


The Attack: A Three-Act Operation


Act I: Laying the Groundwork


The operation did not begin on March 31. Like the most dangerous supply chain attacks in history, it began earlier, quietly, with groundwork designed to avoid suspicion.

On March 30, 2026, at 05:57 UTC, an attacker-controlled npm account published a package called plain-crypto-js@4.2.1 — a trojan deliberately disguised to appear like the widely trusted crypto-js library. This "clean" version sat dormant, doing nothing, simply establishing publishing history and credibility on the npm registry (Tom's Hardware, 2026). It was a decoy, building legitimacy before the main event.

This staging behavior is a hallmark of sophisticated state-sponsored operations — patience before precision.


Act II: The Social Engineering Strike


Axios is not maintained by a large team. Like a significant portion of critical open-source infrastructure, it rests largely on the shoulders of a single lead maintainer: Jason Saayman.

On March 31, attackers made their move. Through a targeted social engineering campaign — posing as a representative from a legitimate, well-known company with a proposal for collaboration — they gained access to Saayman's machine. Once inside, they did not need to crack any passwords or defeat any two-factor authentication systems. They simply did what any sophisticated attacker does once they have physical or remote access to an authenticated machine: they lifted active browser sessions and cookies (Socket, 2026).

As Saayman later explained in a public GitHub comment: the attacker had "enough access to hijack from my browser… lifting sessions or cookies" (as cited in Socket, 2026). With those sessions in hand, the attacker had the same publish access to npm and GitHub as Saayman himself. Two-factor authentication, OIDC-based publishing controls, and other procedural safeguards became irrelevant — because the attacker was no longer impersonating Saayman. In every system's eyes, they were Saayman.


Act III: The Poisoned Release


Between approximately 00:21 and 03:15 UTC on March 31, two malicious versions of Axios were published to npm: axios@1.14.1 and axios@0.30.4 (SOCRadar, 2026).

The tampering was surgical. The only change made to the legitimate Axios codebase was the addition of a single dependency to the package manifest: plain-crypto-js@4.2.1 — the dormant trojan package staged the day before. This dependency was never imported or referenced anywhere in the Axios source code. It served one purpose: executing a postinstall script the moment a developer ran npm install (Tom's Hardware, 2026).


That postinstall script did three things:

  1. Reached out to an attacker-controlled command-and-control (C2) server at sfrclak[.]com (IP: 142.11.206.73)

  2. Downloaded a platform-specific Remote Access Trojan (RAT) payload tailored for macOS, Windows, or Linux

  3. Self-destructed — deleting all evidence of its own execution from the node_modules directory (Snyk, 2026)


The self-destruction element is particularly alarming. A developer who ran npm install during the compromised window, then later inspected their node_modules folder looking for signs of intrusion, would find nothing. The malware erased itself. The only forensic artifacts left behind were the directory node_modules/plain-crypto-js (whose presence alone confirmed the dropper had run) and outbound connection logs to the C2 server — logs most individual developers never think to check (Aikido Security, 2026).


Inside the Malware: What the Code Did


The plain-crypto-js package was purpose-built malware. Beyond the trojan installer, the RAT it deployed gave attackers:

  • Full remote access to the compromised machine

  • Keylogging capabilities via benign-appearing npm packages like node-global-key-listener

  • Screenshot capture via screenshot-desktop

  • A Node.js orchestration module for staged payload execution (Microsoft Security Blog, 2026a)


Systems running macOS, Windows, and Linux were all targeted by separate, platform-optimized payloads — indicating the attackers had pre-built infrastructure for a wide compromise (Sophos, 2026).

In terms of detection evasion, the operation was well-engineered. The staged publication of the plain-crypto-js decoy, the use of a name closely mimicking a legitimate library, the self-deleting installer, and the minimal change to the actual Axios source code all reflect a threat actor that understood how developers inspect packages, and designed around those inspection behaviors.


The Maintainer Speaks


In a candid statement posted to the official Axios GitHub repository, Jason Saayman addressed the incident directly.


He acknowledged he had "fell victim to what seems to be a pretty well known… social engineering attack" (as cited in Socket, 2026). He emphasized that the attacker's control over his machine was likely complete "irrespective of what was setup" — meaning no standard security control would have prevented the compromise given the level of access achieved.


In the aftermath, Saayman took immediate remediation steps:

  • Wiped all personal devices

  • Reset all credentials across every platform

  • Began adopting hardware security keys

  • Implemented improved publishing workflows


But perhaps the most striking part of his statement was not technical — it was human. Saayman, who is South African, invoked the Zulu philosophy of Ubuntu — "I am because we are" — in reflecting on the attack:

"It is sad to me that zero trust can be put in people as my only objective is to create useful things with code but it seems like the world is strongly against that with someone trying to steal / exploit something at every corner. My countries philosophy is 'Ubuntu' — 'I am because we are' or 'humanity towards others.' I hope that more can embrace that in the future." (as cited in Socket, 2026)


It is a deeply human statement from someone who built infrastructure used by hundreds of millions of developers and was repaid with a nation-state attack on his machine and his trust.


Who Was Behind It?


Attribution in cyberattacks is rarely simple, but multiple major security organizations converged on the same conclusion.

Sophos attributed the attack to NICKEL GLADSTONE, a state-sponsored threat group assessed to be operating in service of the North Korean regime. Forensic analysis revealed identical metadata artifacts, C2 patterns, and malware exclusively linked to prior NICKEL GLADSTONE operations (Sophos, 2026).


Microsoft linked the attack infrastructure to Sapphire Sleet, another designation for a North Korean-affiliated threat actor (Microsoft Security Blog, 2026b).

Google's Threat Intelligence Group (GTIG) attributed the campaign to UNC1069, which it assesses to be financially motivated and DPRK-aligned. Senior analyst Taylor Long noted that "several DPRK threat actors have a history of conducting supply chain compromises and leveraging malicious npm packages for cryptocurrency theft, while also continuing to rely on social engineering techniques" (as cited in The Hacker News, 2026).


What remains unclear is the specific downstream objective. While UNC1069 is typically financially driven — often targeting cryptocurrency — no direct evidence of crypto theft or ransomware emerged from the Axios compromise. Google analysts assessed that financially motivated follow-on activity was likely to emerge as post-compromise access was exercised (The Hacker News, 2026).


This attack did not happen in isolation. It follows a documented pattern of DPRK threat actors targeting the software supply chain. In September 2025, a self-replicating worm known as "Shai-Hulud" compromised over 700 npm packages, targeting developer credentials and CI/CD pipelines (Recorded Future, 2025). In the same period, attackers also used fake npm help domains (npmjs[.]help) to phish maintainer credentials (Bastion, 2026). The Axios attack represents an evolution of this playbook — moving from phishing to direct social engineering and machine compromise.


Who Was Affected?


Any developer who ran npm install between approximately 00:21 and 03:15 UTC on March 31, 2026, and whose project resolved to axios@1.14.1 or axios@0.30.4, should treat that machine as fully compromised (SOCRadar, 2026).


Given Axios's position in the dependency tree, exposure went far deeper than developers who explicitly installed Axios. Because the malicious versions were briefly live on the registry, projects pulling Axios as a transitive dependency — baked inside other libraries — could also have resolved to the malicious release without any conscious choice by the developer. Socket's analysis of the "hidden blast radius" showed that dependency resolution mechanics exponentially expanded the number of potentially affected installs beyond what version numbers alone would suggest (Socket, 2026).


Affected platforms: macOS, Windows, and Linux. No platform was safe (Sophos, 2026).

Snyk's recommended remediation was unambiguous:

  • Isolate any system that ran npm install during the affected window

  • Rotate all secrets — every API key, SSH key, cloud credential, npm token, and GitHub token on the affected machine should be treated as stolen

  • Audit CI/CD pipelines — any build pipeline that ran during the window is suspect

  • Rebuild environments — do not attempt to clean compromised machines; rebuild from known-clean snapshots

  • Check logs for outbound connections to sfrclak[.]com or 142.11.206.73 (Snyk, 2026)


The Bigger Picture: Open Source's Human Problem


This attack is not really about npm. It is about a structural vulnerability at the heart of the open-source ecosystem.


Critical infrastructure — packages downloaded billions of times per week, powering financial systems, healthcare applications, and government services — is frequently maintained by one or two individuals with no institutional support, no security team, and no dedicated incident response capability. The Axios compromise succeeded not because of a flaw in the code, but because of a flaw in how we as an industry treat the humans who write and maintain the code.


As Socket noted, "This attack did not exploit a flaw in Axios itself. It exploited the ecosystem's trust, the maintainer's access, and the human layer of the software supply chain" (Socket, 2026).

Kenneth Reitz, creator of Python's Requests library — another piece of ubiquitous infrastructure — described the personal toll of maintaining critical open source in a March 2026 essay: "The same intensity that produced Requests produced the conditions for the worst experiences of my life. The engine was the same. It just had two outputs: beautiful software and shattered minds" (Reitz, 2026).


These are not isolated sentiments. They point to a systemic problem: we have outsourced significant portions of our digital infrastructure to individuals who receive little compensation, little protection, and increasingly, active targeting by nation-state actors.

The xz utils backdoor in 2024, where a North Korean-affiliated actor spent nearly two years building trust within a project before inserting a backdoor, followed the same long-game logic. The Axios attack was faster, but the underlying exploit was identical: the human being is the vulnerability (Socket, 2026).


What Needs to Change


The Axios hack is a forcing function for several overdue conversations:


1. Maintainer security support must become institutional. Companies that profit from open-source infrastructure — and there are thousands — have a responsibility to fund and protect the maintainers whose work they depend on. That means security audits, hardware key provisioning, and incident response support.


2. Publishing pipelines need machine-to-machine verification. Even when an attacker operates with a legitimate session, behavioral anomalies in publishing patterns — a new dependency added with no code changes, a package with no prior history suddenly added as a dep — should trigger automated review holds.


3. Supply chain hygiene is now a baseline requirement. Organizations should maintain a Software Bill of Materials (SBOM), use dependency pinning, and monitor for unexpected version resolutions. Tools like Socket, Snyk, and Aikido exist precisely for this purpose.


4. Social engineering training for open-source maintainers is non-negotiable. A sophisticated actor posing as a business collaborator is not a standard IT threat briefing scenario — but it is now demonstrably a real one.


Conclusion


The Axios npm compromise of 2026 is a watershed moment. It demonstrated that nation-state actors are no longer limiting their focus to corporate networks, government systems, or financial institutions. They are targeting the foundational layer of modern software itself — the open-source packages that silently power nearly everything — and they are doing it by going after the most human element in the chain: the individual developer.

Jason Saayman did not fail. He was outmaneuvered by a sophisticated, well-resourced adversary who knew exactly what to do once they had him engaged. The failure belongs to an ecosystem that left him — and leaves thousands like him — without the tools, training, or support to defend against that level of threat.


The code was fine. It was the human behind the code that was targeted.

And until we address that, no package manager, no registry, and no security control will be enough.


References

Aikido Security. (2026). Axios compromised on npm: Maintainer account hijacked, RAT deployed. https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat


Bastion. (2026). npm supply chain attacks 2026: Defense guide for SaaS teams. https://bastion.tech/blog/npm-supply-chain-attacks-2026-saas-security-guide


Cybersecurity and Infrastructure Security Agency. (2025, September 23). Widespread supply chain compromise impacting npm ecosystem. https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem


Microsoft Security Blog. (2026a, March 11). Contagious interview: Malware delivered through


Microsoft Security Blog. (2026b, April 1). Mitigating the Axios npm supply chain compromise. https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/


Recorded Future. (2025). Massive malicious npm package attack threatens software supply chains. https://www.recordedfuture.com/blog/massive-malicious-npm-package-attack-threatens-software-supply-chains


Reitz, K. (2026, March 18). Open source gave me everything until I had nothing left to give. https://kennethreitz.org/essays/2026-03-18-open_source_gave_me_everything_until_i_had_nothing_left_to_give

Snyk. (2026). Axios npm package compromised: Supply chain attack delivers cross-platform RAT. https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/


SOCRadar. (2026). Axios npm hijack 2026: Everything you need to know – IOCs, impact & remediation. https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/

Socket. (2026, April 2). Axios maintainer confirms social engineering attack behind npm compromise. https://socket.dev/blog/axios-maintainer-confirms-social-engineering-behind-npm-compromise


Sophos. (2026). Axios npm package compromised to deploy malware. https://www.sophos.com/en-us/blog/axios-npm-package-compromised-to-deploy-malware


The Hacker News. (2026, April). Google attributes Axios npm supply chain attack to North Korean group UNC1069. https://thehackernews.com/2026/04/google-attributes-axios-npm-supply.html


Tom's Hardware. (2026). One of JavaScript's most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT. https://www.tomshardware.com/tech-industry/cyber-security/axios-npm-package-compromised-in-supply-chain-attack-that-deployed-a-cross-platform-rat

 
 
 

Comments

Inquisitive Cybersecurity

  • alt.text.label.LinkedIn

©2024 by Inquisitive Cybersecurity. 

bottom of page