216.73.216.86

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

· Published 02/04/2026 00:59

Export JSON

Essential information

Published
02/04/2026 00:59
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
axios library cross-platform rat dprk attribution javascript trojan npm hijacking plain-crypto-js supply chain attack waveshaper waveshaper overlap
Related entities
1 vulnerabilities (cve), 28 indicators, 4 observables, 19 techniques (mitre), 2 malware

Description

A sophisticated compromised the Axios JavaScript library after threat actors hijacked an npm maintainer account, releasing malicious versions v1.14.1 and v0.30.4. These versions contained a hidden dependency called , which deployed a cross-platform remote access Trojan affecting Windows, macOS, and Linux systems. The malware performed reconnaissance, established persistence, and included self-destruct capabilities for evasion. Using a heavily obfuscated dropper script, the attack fetched platform-specific payloads from a command-and-control server while disguising traffic as legitimate npm registry requests. All variants shared identical C2 protocols and beaconed every 60 seconds. The campaign impacted multiple sectors across the U.S., Europe, Middle East, South Asia, and Australia, with analysis showing overlap with DPRK-linked operations.

External references