From Axios NPM Supply Chain Attack to Tracking DPRK’s BlueNoroff
Contents
Key Facts
A supply chain attack affecting the NPM (Node Package Manager) package “Axios” (widely used JavaScript HTTP-Client) was made public in end March 2026.
DCSO’s analysis of the published indicators and email addresses suggests connections to the DRPK linked threat actor “BlueNoroff”, based on overlaps between activities historically attributed to BlueNoroff and the infrastructure identified in this case.
DCSO did observe overlaps in the threat actor’s techniques and also their financial motivation which indicates a reuse of known TTPs.
This Blog post has been authored by Sebastian Degner
Press enter or click to view image in full size
Photo by Florian Krumm on Unsplash
Introduction
Since March 31, 2026, reports about a malicious Node Package Manager (NPM) package affecting the widely used HTTP-Client Axios have been published by various cybersecurity companies. Axios is one of the most used Javascript HTTP-Client libraries. According to Elastic Security Labs the email address of one of the original maintainers was changed …
A supply chain attack affecting the NPM (Node Package Manager) package “Axios” (widely used JavaScript HTTP-Client) was made public in end March 2026.
DCSO’s analysis of the published indicators and email addresses suggests connections to the DRPK linked threat actor “BlueNoroff”, based on overlaps between activities historically attributed to BlueNoroff and the infrastructure identified in this case.
DCSO did observe overlaps in the threat actor’s techniques and also their financial motivation which indicates a reuse of known TTPs.
This Blog post has been authored by Sebastian Degner
Press enter or click to view image in full size
Photo by Florian Krumm on Unsplash
Introduction
Since March 31, 2026, reports about a malicious Node Package Manager (NPM) package affecting the widely used HTTP-Client Axios have been published by various cybersecurity companies. Axios is one of the most used Javascript HTTP-Client libraries. According to Elastic Security Labs the email address of one of the original maintainers was changed …