Axios NPM Package Compromised in Supply‑Chain Attack by North‑Korean Threat Actor
What Happened — A North‑Korea‑linked group hijacked the maintainer account of the widely‑used axios JavaScript library, publishing malicious versions to the npm registry. The compromised packages inject a back‑door payload into downstream applications during the build process.
Why It Matters for TPRM —
- Third‑party libraries are a common attack surface; a single compromised dependency can affect thousands of downstream vendors.
- Supply‑chain compromises bypass traditional perimeter defenses, exposing organizations to hidden code execution risks.
- Many SaaS and enterprise applications embed
axiosfor HTTP requests, amplifying potential impact across sectors.
Who Is Affected — Technology & SaaS vendors, cloud‑hosted services, API providers, and any organization that incorporates axios in its software supply chain.
Recommended Actions —
- Immediately audit all code repositories for references to
axiosversions ≥ 0.27.2 and ≤ 0.28.0. - Replace compromised versions with the official patched release (≥ 0.28.1) and verify integrity via npm’s
npm auditorsnyk. - Enforce strict dependency‑pinning and use reproducible builds to prevent inadvertent upgrades.
- Review third‑party risk policies to include continuous monitoring of open‑source component provenance.
Technical Notes — The attacker leveraged a compromised maintainer credential to publish malicious tarballs containing a hidden WebSocket‑based implant that exfiltrates environment variables and API keys. No public CVE was assigned; the attack vector is a third‑party dependency injection. Affected data includes source code, configuration secrets, and potentially customer data processed by compromised applications. Source: Security Affairs Malware Newsletter Round 91