Krux
April 3, 2026
Axios npm Package Hijacked: 600,000 Downloads in 3 Hours
Published: April 3, 2026 at 12:39 AM
Updated: April 3, 2026 at 12:39 AM
100-word summary
On March 31, North Korean hackers compromised Axios maintainer credentials and injected malware into the popular JavaScript library. The first machine was infected 89 seconds after the poisoned version went live. The attack bypassed Axios's modern security controls (OIDC, SLSA provenance, GitHub Actions) using a single long-lived npm access token the team forgot to delete. Attackers timed the drop for just after midnight UTC on a Sunday, pre-staged their payload 18 hours earlier, and made the malware self-delete after installation. The backdoor hit Windows, macOS, and Linux simultaneously, calling home to a command server before vanishing from disk.
What happened
On March 31, North Korean hackers compromised Axios maintainer credentials and injected malware into the popular JavaScript library. The first machine was infected 89 seconds after the poisoned version went live. The attack bypassed Axios's modern security controls (OIDC, SLSA provenance, GitHub Actions) using a single long-lived npm access token the team forgot to delete. Attackers timed the drop for just after midnight UTC on a Sunday, pre-staged their payload 18 hours earlier, and made the malware self-delete after installation.
Why it matters
The backdoor hit Windows, macOS, and Linux simultaneously, calling home to a command server before vanishing from disk.