THE Axios NPM package was compromised in what researchers described as a high‑profile supply‑chain attack, with two malicious versions published to NPM: [email protected] and [email protected]. According to StepSecurity, the malicious versions impersonated the crypto-js library and installed a remote‑access Trojan (RAT) that can operate across Windows, Linux and Mac.
The attack began after the lead maintainer’s account, "jasonsaayman", was compromised, and the dropper contacted a live command‑and‑control server to deliver platform‑specific payloads before self‑destructing. The packages remained active for about three hours before NPM removed traces of the campaign, and Endor Labs notes one malicious version was exposed for more than 21 hours before a security hold.
Google Threat Intelligence attributed the activity to suspected North Korean threat actor UNC1069, described by Google as potentially broad in impact. End users were urged to check for indicators of compromise and to verify dependencies, given the incident’s sophistication and stealth, including replacing the affected package[.]json with a clean version post‑infection.