2026-05-19
OSM
Axios attacker strikes again! Three NPM packages have been hiding in plain sight for two months
#Axios
#NPM
#UNC1069
Axios
#Axios
- Reported: 2026-03
- Locations: Unknown
- Motivations: #SupplyChain
- Sectors: #Technology
Summary
The Axios supply chain incident involved a highly impactful compromise of the widely used npm package axios (≈100 million weekly downloads), where an attacker hijacked a maintainer’s account and published two malicious versions (1.14.1 and 0.30.4) that silently introduced a rogue dependency ([email protected]) containing a postinstall backdoor; upon installation, this dependency executed an obfuscated dropper that fetched and deployed a cross-platform Remote Access Trojan (RAT) targeting Windows (PowerShell), macOS (C++), and Linux (Python), all sharing a unified command-and-control protocol and functionality, enabling full remote control, data exfiltration, and persistence, while also performing anti-forensic cleanup (self-deletion and restoring package files) to evade detection; notably, the compromised versions were tagged as both “latest” and “legacy,” maximizing infection reach during the short exposure window, and the attack demonstrated a sophisticated, pre-staged supply chain operation leveraging transitive dependencies and automated install hooks to achieve widespread, stealthy compromise across developer environments and production systems.