
North Korean Hackers Hijack Axios Library Using Sophisticated Social Engineering
Key Takeaways
- Two malicious Axios npm versions published March 31.
- Weeks-long social engineering targeted Axios maintainers to gain access.
- Malware delivered via compromised packages included a cross-platform remote access Trojan.
The Two-Week Hack
North Korean hackers executed a two-week social engineering campaign to hijack the Axios library.
They created a convincing Slack workspace with fake employee profiles.

The target was tricked into downloading malware granting remote access to their system.
Attackers pushed two malicious Axios packages live for roughly three hours.
Axios has 45 million weekly downloads, so millions could have been exposed.
Broader Campaign Against Developers
The Axios hack was part of a sustained North Korean campaign targeting multiple Node.js maintainers.
The same tradecraft was used against several other prominent developers.

Google researchers had documented similar techniques by Lazarus Group before.
The operation's professionalism and patience make it particularly dangerous.
Wider Implications
The Axios compromise raised urgent questions about open-source software supply chain security.
The attack exploited the inherent trust developers place in each other's code.
Government actors and criminals are increasingly focusing on mass-market tools.
Well-resourced state actors can exploit social engineering to infiltrate vital software ecosystems.
More on Technology and Science

Typhoon Bavi Kills At Least 15 in Philippines as It Threatens Taiwan and Japan
19 sources compared

Wildfire Kills At Least 12 Near Los Gallardos, Leaving 23 Missing In Andalusia
41 sources compared

OpenAI Sunsets ChatGPT Atlas Browser, Pivots to ChatGPT Desktop App With ChatGPT Work
13 sources compared

FTC And Five States Reach 10-Year Right-To-Repair Settlement With Deere & Company
10 sources compared