Book a Call
AS|
Creative Developer
Building the future

APR 01, 20268 MIN READ

Axios Was Backdoored for Two Hours

On March 31, 2026, one of the most widely used JavaScript libraries — Axios — was silently compromised.

For a brief window of roughly two hours, attackers turned a trusted package into a malware delivery system.

And the scariest part?

Most developers didn’t even realize it happened.

---

What actually happened?

Attackers gained access to the npm account of a core Axios maintainer.

Using that access, they published two malicious versions:

  • axios@1.14.1
  • axios@0.30.4

    • These versions looked completely normal.

    But under the hood, they included a hidden dependency called "plain-crypto-js".

    This package was not part of Axios.

    It was a trojan.

    ---

    How the attack worked

    When developers ran:

    npm install axios

    The malicious dependency executed automatically using npm’s postinstall script.

    Within seconds, it downloaded a Remote Access Trojan (RAT) onto the system.

    This malware worked across:

  • Windows
  • macOS
  • Linux

    • Once installed, it could:

  • execute commands
  • access files
  • steal credentials
  • maintain persistent access

    • The system was fully compromised.

    ---

    Why this attack is dangerous

    Axios is used everywhere.

    From small personal projects to large production systems.

    It gets downloaded over 100 million times per week.

    That means even a short attack window can impact thousands of developers globally.

    The attack also removed its own traces after execution.

    So even if you checked your node_modules later, everything looked clean.

    That’s what makes supply chain attacks so powerful.

    They exploit trust.

    ---

    Timeline of the attack

  • March 30: attacker prepares malicious dependency
  • March 31 (00:21 UTC): malicious Axios version published
  • Within minutes: developers start installing it
  • ~2–3 hours later: npm removes the package

    • In just a few hours, systems around the world were exposed.

    ---

    Who was behind it?

    Security researchers linked the attack to a North Korea–associated threat group known as UNC1069.

    This group has previously targeted:

  • crypto platforms
  • developers
  • financial systems

    • Their goal is usually financial gain or long-term access.

    ---

    What should you do?

    If you installed Axios during that time window:

    Treat your system as compromised.

    Recommended actions:

  • Rotate all API keys and secrets
  • Reinstall your system if possible
  • Check for unknown processes
  • Audit dependencies

    • If you're unsure — assume breach.

    ---

    The bigger lesson

    This wasn’t just an Axios problem.

    It’s a wake-up call.

    Modern development relies heavily on open-source packages.

    But every dependency introduces risk.

    One compromised package can affect millions.

    The real issue isn’t Axios.

    It’s the ecosystem.