Microsoft NPM Causes Security Catastrophes, Microsoft Transmits Malware to Sites and More

posted by Roy Schestowitz on Apr 01, 2026,
updated Apr 04, 2026

• Scoop News Group ☛ Attack on axios software developer tool threatens widespread compromises [Ed: NPM is Microsoft, so Microsoft transmits malware]

  Axios is a JavaScript client library used in web requests. The unknown attacker hijacked the npm account — npm being a package manager for JavaScript — of the lead axios maintainer, and then published malicious versions of axios with remote access trojans to npm. That happened on Sunday night going into Monday morning, cybersecurity firm Huntress said, before the poisoned versions were pulled.

• Hacker News ☛ Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

• Dark Reading ☛ Axios NPM Package Compromised in Precision Attack

  The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months.

  Axios is the most popular JavaScript HTTP client library and is downloaded more than 400 million times per month on NPM. Software development security vendor StepSecurity identified and reported yesterday that two malicious versions had been published to NPM: [email protected] and [email protected].

• Silicon Angle ☛ Hackers compromise popular Axios Javascript library with hidden malware

  The widely used Axios HTTP client library, a JavaScript component used by developers, was recently hacked to distribute malware via a compromised account. Attackers exploited a hijacked account on npm, a default package manager for Node.js, a tool that allows developers to share, install and manage Javascript project code to distribute the malicious software. >

• Step Security ☛ axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

  axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.

• The Record ☛ Google links axios supply chain attack to North Korean group

  On Monday evening, news emerged that hackers launched a supply chain attack targeting the HTTP client axios, which is downloaded 100 million times each week and embedded across frontend frameworks, backend services and enterprise applications.

  Google Threat Intelligence Group (GTIG) joined several other researchers in attributing the attack to a North Korean threat actor they call UNC1069. SentinelOne found the same group using macOS-based malware in attacks dating back to 2023.

• Cyble Inc ☛ Axios Supply Chain Attack Exposes Malicious Npm Packages

  The attacker altered the account’s registered email to a ProtonMail address and used the npm CLI to publish the compromised packages. This bypassed the cryptographic protection typically enforced by trusted publishing workflows, making the malicious releases appear legitimate at first glance.

• Simon Willison ☛ Supply Chain Attack on Axios Pulls Malicious Dependency from npm

  Supply Chain Attack on Axios Pulls Malicious Dependency from npm (via) Useful writeup of today's supply chain attack against Axios, the HTTP client NPM package with 101 million weekly downloads. Versions 1.14.1 and 0.30.4 both included a new dependency called plain-crypto-js which was freshly published malware, stealing credentials and installing a remote access trojan (RAT).

• Andrew Nesbitt ☛ npm’s Defaults Are Bad

  Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it faster, should people be running more scanners. None of that gets at why JavaScript keeps having these incidents at a rate no other ecosystem comes close to matching. The npm client’s defaults actively enable the attacks and have done for years.

• Silicon Angle ☛ Anthropic accidentally exposes Claude Code source code in npm packaging error

  Anthropic PBC has accidently exposed the source code for its Claude Code command-line interface tool through a packaging error that led to the inclusion of sensitive files in a publicly distributed node package manager or npm release.

The day after:

• Tom's Hardware ☛ One of JavaScript's most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT

  An attacker compromised the npm account of a lead Axios maintainer on March 30, and used it to publish two malicious versions of the widely used JavaScript HTTP client library.

• Security Week ☛ Axios NPM Package Breached in North Korean Supply Chain Attack

  A long-lived NPM access token was used to bypass the Microsoft's proprietary prison GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions.

• Security Affairs ☛ Attackers hijack Axios npm account to spread RAT malware

  Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads, and published malicious versions to spread remote access trojans across Linux, Windows, and macOS. The supply chain attack was identified by multiple security firms after the rogue updates appeared on the npm registry.

  Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman’s npm account.

A couple more:

• Cyble Inc ☛ North Korea's Lazarus Group Behind The Axios Npm Supply Chain Attack

  On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript’s most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea’s Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

• NVISO Labs ☛ Axios npm attack: rapid hunting with KQL and response guide | NVISO

  On March 31, 2026, two malicious Axios versions (1.14.1 and 0.30.4) were briefly published to npm via a compromised maintainer account. The only change performed was the addition of a trojanized dependency, whose postinstall script deployed a cross‑platform RAT (for macOS, Windows, and Linux). Although the Axios packages were removed within hours, multiple hits were observed in our MDR service, mainly across developer workstations and Docker containers. In this blog post, we briefly walk through the details of the incident, share our observations, and provide KQL hunting queries used to identify and assess exposure across our MDR customers.

Late addition:

• The Axios supply chain attack used individually targeted social engineering

  • they scheduled a meeting with me to connect. the meeting was on ms teams. the meeting had what seemed to be a group of people that were involved.

  • the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT.