Join The Club
It's been about a week since suspected hackers out of North Korea temporarily compromised axios, one of the world's most popular JavaScript HTTP client libraries. Now, more details are emerging about how the hack was achieved, and why it's pertinent knowledge for Windows, macOS, and Linux users.
The original hijacking occurred when bad actors were able to compromise axios maintainer Jason Saayman's primary account. This allowed for the publishing of two malicious axios versions to npm (a massive public registry of tools available for download) on March 30, 2026.
Article continues belowThis was not opportunistic. It was precision.
Ashish Kurmi (StepSecurity)
Despite the relatively quick action to remove the compromised uploads, axios usually sees more than 100 million downloads every week. This makes it difficult to determine exactly how many users downloaded the remote access trojan (RAT).
Saayman explains the entire axios supply chain compromise in a post mortem blog post published on GitHub, including some steps you can take to ensure that your machine (whether it's Windows, macOS, or Linux) is not compromised. I strongly recommend checking them out if you deal with axios, as the RAT is capable of stealing sensitive credentials from your system.
How do Microsoft Teams and Slack fit into the axios hack's timeline?
TechCrunch, in speaking with Google, brought the North Korea angle to light. The attack was attributed to UNC1069, a "financially motivated threat actor" who's been pulling these types of ploys "since at least 2018."
North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.
John Hultquist, Google Threat Intelligence Group chief analyst (via TechCrunch)
Here's where the story really takes off. According to Saayman, the timeline of the attack began roughly two weeks before March 31, when a "social engineering campaign [was] initiated against the lead maintainer."
Saayman goes into more details in the comments section of the post-mortem post. He explains that the bad actors "reached out masquerading as the founder of a company" after having cloned the founder's likeness and the company itself.
Saayman was then invited to a Slack workspace with all the right company branding, mock LinkedIn post sharing, and fake team profiles. After scheduling a meeting with Saayman on Microsoft Teams, a fake "missing update" requested a small install.
This, of course, was where the RAT was downloaded onto the maintainer's PC. Teams wasn't compromised; it was just faked and used as a medium to deliver the Trojan.
As Saayman points out, "Everything was extremely well coordinated, looked legit, and was done in a professional manner." That's a tough one, and you do have to feel bad for anyone duped by such an elaborate ploy.
Axios is now investigating the breach and ways to avoid the same from happening again in the future.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
