The Axios npm supply chain attack: What every developer needs to know

In a significant supply chain attack on March 31, 2026, the widely-used JavaScript package Axios was compromised by North Korean state-sponsored actors, affecting any machine that ran npm install during a short two-to-three-hour window. The attackers took over the npm account of Axios's lead maintainer, published a decoy package, and then used the hijacked account to release malicious versions of Axios, which installed a remote access trojan (RAT) capable of credential theft and persistent access. The attack involved meticulous planning, including an 18-hour pre-staging phase and a dual-tag targeting strategy, highlighting the increasing sophistication of nation-state cyber threats against open-source supply chains. This incident underscores the vulnerability of open-source ecosystems, particularly JavaScript, due to their complex dependency networks and emphasizes the need for stronger security practices such as committing lockfiles, disabling lifecycle scripts, requiring npm publish provenance, and throttling automated dependency updates. Organizations are advised to take immediate remediation steps if affected, including isolating compromised machines, rotating credentials, and auditing access logs, while broader lessons call for a rigorous approach to package management to prevent similar incidents in the future.