North Korean hackers steal npm access token

A hijacked maintainer account just poisoned millions of JavaScript projects in under three hours. The recent Axios npm attack demonstrates how fragile our software supply chain truly is. When attackers compromised a single maintainer's account, they managed to inject malware into one of the most trusted JavaScript libraries through hidden dependencies. The scope is staggering – Axios powers countless enterprise applications and developer tools worldwide. This isn't just another security incident; it's a wake-up call for every development team. The attack vector was sophisticated yet simple: compromise the human element, exploit trust relationships, and let automated systems do the rest. Traditional security scanning missed it because the malicious code was buried deep in dependency trees. What's your organization doing to audit third-party dependencies? How are you balancing development velocity with supply chain security? https://lnkd.in/eERCnjM3

One hijacked npm account and a two-line package.json edit put a RAT dropper inside one of the most downloaded JavaScript libraries on the internet. On March 31, 2026, attackers published two malicious versions of Axios, axios@1.14.1 and axios@0.30.4, through a compromised maintainer account. The packages were live for under three hours before npm unpublished them. Axios has between 100 and 300 million weekly downloads. The attacker hijacked the `jasonsaayman` maintainer account, changed the registered email to an anonymous ProtonMail address, and used a long-lived npm access token to publish manually, bypassing the project's trusted GitHub Actions publisher flow. The Axios source code was untouched. A single dependency was added to package.json: `plain-crypto-js@4.2.1`, a package the attacker had staged the previous day with a clean decoy version to build publishing history. That dependency's postinstall hook executed an obfuscated Node.js dropper that detected the operating system, beaconed to C2 infrastructure at sfrclak.com, downloaded platform-specific RAT payloads, then deleted itself and overwrote package.json with a clean version. The malware targeted SSH keys, cloud credentials, API keys, and crypto wallets before cleaning its tracks. Any CI/CD pipeline or developer workstation that ran npm install during the three-hour window with unpinned caret version ranges was exposed. Takeaways and Recommendations ● Audit lockfiles immediately for axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1. If found, rotate all secrets on that machine without exception. SSH keys, cloud tokens, npm tokens, and API credentials must be treated as compromised. ● Long-lived npm access tokens are a persistent attack surface. Maintainers of high-impact packages must use short-lived OIDC tokens via trusted publisher flows and revoke all legacy tokens. ● Run CI pipelines with `--ignore-scripts` to prevent postinstall hooks from executing during dependency installation. This single control stops this entire class of attack. ● Implement package age and integrity scanning tools such as Socket in CI pipelines. Brand-new packages added as dependencies to established libraries warrant immediate scrutiny. #CyberSecurity #SupplyChainSecurity #npm #SoftwareSupplyChain #DevSecOps

An exploit code has been published for protobuf.js, a JavaScript implementation of Google's Protocol Buffers - The tool is highly popular on the Node Package Manager (npm) registry with nearly 50 million downloads per week. Used mostly forinter-service communication, real-time applications, and efficient data storage in databases and clouds. https://lnkd.in/eRKS98PG #cyber #cybersecurity #hacking #applicationsecurity #ciso #informationsecurity

One of the most widely used JavaScript libraries in the world just became part of a supply chain attack. Axios, with over 300 million weekly downloads, was recently affected by malicious npm versions that distributed a Remote Access Trojan (RAT). The attack didn’t rely on phishing, exploits, or user mistakes. It used something far more dangerous: normal development workflows. A simple npm install or npm update was enough to pull compromised code into applications. From there, attackers could establish persistence, access sensitive data, and potentially move further into internal environments. This is what makes modern supply chain attacks so effective. They don’t need to break into systems, no, it is more elegant, they are invited in as dependencies. For many organisations, axios is not just another library. It sits deep inside backend services, frontend applications, APIs, and CI/CD pipelines. That means the blast radius of such an incident is not limited to a single system, but can extend across entire development and production environments. The uncomfortable reality is that developers did everything “right”. They used trusted libraries, followed standard processes, and relied on official package managers. And still, the compromise happened. Yeah, sounds scary. This is a strong reminder that: > open-source dependencies are part of your attack surface, > trust in packages is not static, > and software supply chain security is no longer optional. Monitoring dependency integrity, validating package sources, and having visibility into what actually runs in your environments is becoming just as important as traditional security controls. Because today, attackers don’t need to exploit your system, they just need to become part of your codebase. Sources: GitHub issue discussions, StepSecurity analysis, and reporting by The Hacker News. #CyberSecurity #SupplyChainSecurity #OpenSource #npm #JavaScript #DevSecOps #ThreatIntelligence #InfoSec Photo by Lucas Andrade: https://lnkd.in/d9-RbvAR

Axios npm Package Compromised — What Every Developer Needs to Know On March 31, 2026, attackers hijacked the npm account of the lead Axios maintainer and published two malicious versions of one of the most widely used JavaScript libraries (~100M weekly downloads). Affected versions: • axios@1.14.1 • axios@0.30.4 These versions silently installed a cross-platform Remote Access Trojan (RAT) the moment anyone ran npm install — stealing cloud credentials, API tokens, SSH keys, and giving attackers persistent access to the machine. The entire compromise took ~15 seconds. The malicious packages were removed within ~3 hours, but if you or your CI/CD pipeline ran npm install during that window (00:21–03:15 UTC, March 31), assume full compromise. ✅ Immediate steps: 1️⃣ Check your package-lock.json or yarn.lock for axios@1.14.1, axios@0.30.4, or plain-crypto-js 2️⃣ Downgrade: npm install axios@1.14.0 --ignore-scripts 3️⃣ Delete node_modules/plain-crypto-js 4️⃣ Rotate ALL credentials — API keys, cloud access keys, tokens. Revoke and reissue, don't just rotate. 5️⃣ If compromised: isolate the machine and re-image. Do not attempt in-place cleanup. Supply chain attacks are becoming more frequent and more sophisticated. This is a reminder to verify package provenance, pin your dependencies, and never blindly trust the npm registry. Stay safe out there. Share this — your network needs to know. 🔁 #CyberSecurity #SupplyChainAttack #JavaScript #npm #Axios #DevSecOps #OpenSource #React #ReactNative

🚨 This Axios Incident Changed How I Look at Dependencies 🚨 This recent incident really made me rethink how I handle dependencies. - A compromised npm account - Malicious Axios versions published - A hidden dependency installing a Remote Access Trojan (RAT) All triggered by a simple: npm install Key realization: Even trusted libraries can become attack vectors overnight. This attack could expose: - API keys - AWS credentials - Sensitive data What I’m changing: - Reviewing dependencies more carefully - Locking versions strictly - Avoiding unnecessary packages - Staying cautious with postinstall scripts Axios itself isn’t the problem — the ecosystem risk is. Security is no longer optional — it’s part of development. https://lnkd.in/gFBV4amB #JavaScript #CyberSecurity #NodeJS #NPM #Developers #DevOps

The 𝗮𝘅𝗶𝗼𝘀 𝗻𝗽𝗺 𝗽𝗮𝗰𝗸𝗮𝗴𝗲 was hit by a 𝘀𝘂𝗽𝗽𝗹𝘆 𝗰𝗵𝗮𝗶𝗻 𝗮𝘁𝘁𝗮𝗰𝗸 on March 31, 2026, and if you are a JavaScript developer, this one hits close to home. Axios has roughly 100 million weekly downloads. It is in almost every React, Node.js, or full-stack project out there. Two versions of it (1.14.1 and 0.30.4) were weaponized within a 3-hour window. Here is what happened: Attackers compromised the npm account of 𝗷𝗮𝘀𝗼𝗻𝘀𝗮𝗮𝘆𝗺𝗮𝗻, the primary axios maintainer, and changed the registered email to an attacker-controlled ProtonMail address. Using that access, they published two poisoned releases that injected a hidden dependency: 𝗽𝗹𝗮𝗶𝗻-𝗰𝗿𝘆𝗽𝘁𝗼-𝗷𝘀@𝟰.𝟮.𝟭, a fake lookalike of the legitimate crypto-js library. That package executed a postinstall script the moment you ran npm install, silently dropping a cross-platform 𝗥𝗲𝗺𝗼𝘁𝗲 𝗔𝗰𝗰𝗲𝘀𝘀 𝗧𝗿𝗼𝗷𝗮𝗻 (𝗥𝗔𝗧) targeting Windows, macOS, and Linux. The malware then contacted a C2 server (sfrclak.com:8000), harvesting SSH keys, cloud tokens, API keys, and environment secrets, then self-deleted to wipe its own traces. How was it caught? Three security firms independently identified this attack: - 𝗦𝗼𝗰𝗸𝗲𝘁.𝗱𝗲𝘃: Their automated scanner flagged the malicious plain-crypto-js within 6 minutes of publication (00:05 UTC) - 𝗦𝘁𝗲𝗽𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆: Their AI Package Analyst and Harden-Runner detected anomalous outbound connections during live CI runs, including in the widely used Backstage repository - 𝗦𝗻𝘆𝗸: Published a full technical breakdown of the attack chain and blast radius The malicious versions were live for roughly 3 hours (00:21 to 03:29 UTC) before npm pulled them. What makes this particularly alarming: The attack was pre-staged 18 hours in advance. Three platform-specific RAT payloads were pre-built. Both the 1.x and 0.x release branches were hit within 39 minutes of each other. The malware cleaned up after itself, so npm audit shows nothing. This was not opportunistic. If you use axios, act now: - Pin to version 1.14.0 or 0.30.3 (confirmed safe) - Use npm ci instead of npm install in CI/CD pipelines - Rotate any secrets from environments where the affected versions ran - Add plain-crypto-js to your dependency blocklist This is a reminder that open-source trust is one of our industry's largest attack surfaces. Lockfiles, postinstall script auditing, and runtime monitoring are not optional. They are baseline hygiene.

🚨 Axios Supply Chain Attack: Wake-Up Call for Every Full-Stack Developer For A Week, the affected versions (1.14.1 / 0.30.4) included a hidden dependency that would execute a cross-platform RAT… simply by running npm install. No suspicious code in the repository. No obvious red flags. Just trust... weaponized. This one hurts because it challenges a deep assumption: 👉 “If it’s popular, it’s safe.” Reality: Your app isn’t just your code. Your app is your entire dependency tree. Your CI/CD pipelines can turn into attack vectors. One compromised maintainer can result in millions of victims downstream. How this changes things for me as a developer: Lockfiles are no longer optional (npm ci vs npm install). Postinstall scripts are potential attack surfaces. Pinning versions is more important than auto-update dependencies. Monitoring network traffic during builds is a requirement. The scariest part? Most affected developers wouldn’t even know they are victims of a supply chain attack. #FullStack #JavaScript #CyberSecurity #OpenSource #DevOps

100 million weekly downloads. One compromised maintainer account. Under three hours. That’s how the axios npm attack played out on March 31. Hrvoje Filaković, our Cybersecurity Engineer, breaks down exactly what happened: how the attacker staged a clean decoy package 18 hours in advance, bypassed OIDC Trusted Publishing via a long-lived token, and built platform-specific malware that deleted itself before npm install even finished. If your team ships JavaScript, check your lockfile for axios@1.14.1 or axios@0.30.4 – and read the full breakdown on our blog: https://lnkd.in/d6DzF_93

🚨 You didn't write the malicious code. You didn't click a suspicious link. Yet your system got compromised. Welcome to the world of Supply Chain Attacks — and every JavaScript developer needs to understand this. 🏪 Real life analogy first: Imagine buying milk from a trusted shop. You trust the shopkeeper. But what if someone poisoned the milk at the factory itself? That's exactly a supply chain attack. The attacker doesn't target you directly — they target what you trust. 💻 In the npm world, here's how it works: You run → npm install axios npm pulls → axios@1.14.1 (compromised version) Which brings → plain-crypto-js@4.2.1 (the actual malware) postinstall runs → setup.js Result → RAT installed on your machine. Silently. This is exactly what happened on March 31, 2026 with Axios — one of npm's most downloaded packages with 100M+ weekly downloads. The attacker hijacked the lead maintainer's account, published poisoned versions, and self-destructed all evidence after execution. npm audit couldn't even detect it. 😈 What could an attacker steal? ✦ Your .env secrets ✦ AWS / cloud credentials ✦ SSH private keys ✦ npm tokens ✦ Full remote access to your machine 🛡️ How to protect yourself: ✅ Always pin your dependency versions in package.json ✅ Use npm ci instead of npm install in CI/CD ✅ Add --ignore-scripts flag where possible ✅ Never store raw secrets in your environment without rotation policies ✅ Audit node_modules for unexpected transitive dependencies The scary truth? You did everything right. You used a trusted, well-known package. And you still got hit. This is why supply chain security is now one of the most critical skills for modern developers — not just DevOps or security engineers. Open source is powerful. But blind trust is dangerous. Stay curious. Stay skeptical. Keep learning. 🙏 #JavaScript #WebSecurity #npm #SupplyChainAttack #NodeJS #CyberSecurity #MERN #FrontendDevelopment #OpenSource #DevSecOps