In early April 2025, North Korean state-sponsored hackers compromised the Axios HTTP library, one of the most downloaded npm packages with over 45 million weekly downloads. The attackers used social engineering to convince the sole maintainer to install malware on his machine.
They gained remote access and published malicious versions 1.7.8 and 1.7.9 to npm. These versions contained obfuscated code designed to steal environment variables and authentication tokens from systems that installed them.
The compromised versions were live for around 72 hours before being removed. The attack was attributed to the Lazarus Group, linked to previous campaigns including TraderTraitor.
Organizations using Axios should audit dependency lockfiles, rotate all affected secrets, and pin to version 1.7.7 or 1.7.10. Security tools like Socket, Snyk, and Dependabot can help detect behavioral anomalies in package updates.
This incident underscores how vulnerable open source projects are when maintained by a single individual. As nation-states target maintainers for intelligence gains, companies must invest in securing their software supply chains.
Photo by Nathaniel Tang on Pexels