Axios npm Supply Chain Attack Prompts Microsoft Mitigation Guidance

On March 31, 2026, security researchers identified a severe supply chain attack targeting Axios, a popular HTTP client for JavaScript handling over 70 million weekly downloads.

Two updated versions of the package, 1.14.1 and 0.30.4, were compromised by a malicious dependency that installs remote access trojans.

Microsoft Threat Intelligence has attributed this campaign to Sapphire Sleet, a North Korean state-sponsored threat actor known for leveraging AI and social engineering to scale its cyber operations.

Silent Execution and OS-Specific Payloads

The breach was carried out using a technique known as dependency insertion, which enables silent install-time code execution.

The attackers injected a fake runtime dependency, plain-crypto-js@4.2.1, into the new Axios releases while leaving the core application logic untouched.

This malicious dependency relies on a post-install hook that triggers automatically when a developer or continuous integration system runs package installation commands, requiring zero user interaction.

The attacker server delivers distinct payloads based on the system architecture. On macOS systems, the attack drops a native binary named com.apple.act.mond into the cache directory and runs it silently in the background.

For Windows environments, a PowerShell trojan is deployed. This Windows variant establishes persistence by adding a registry run key, ensuring the malware restarts at every user sign-in.

Microsoft Threat Intelligence linked the account that published the malicious dependency directly to Sapphire Sleet.

Active since at least March 2020, this North Korean group primarily targets the financial sector, cryptocurrency organizations, and blockchain platforms.

Their main objective is to steal cryptocurrency wallets to generate revenue. While the group often leverages fraudulent meeting links and fake job recruiters, this latest attack highlights an aggressive shift toward open-source supply chain poisoning.

Organizations that have installed Axios versions 1.14.1 or 0.30.4 must take immediate remedial action. Microsoft strongly advises rotating all secrets and credentials exposed to compromised systems.

Developers should completely remove the affected files and downgrade their Axios deployments to safe versions, such as 1.14.0 or 0.30.3.

To prevent unauthorized updates, organizations should turn off automated dependency upgrades by removing caret (^) or tilde (~) symbols from their package.json files, forcing the project to rely only on explicitly pinned versions.

Security teams are advised to flush their local package caches using the npm cache clean –force command and review network egress logs for any outbound connections to the malicious infrastructure on port 8000.

For environments where it is feasible, developers can turn off post-install scripts by default to stop similar hooks from executing.

Microsoft Defender has already deployed comprehensive protections across endpoints and cloud resources, automatically detecting and blocking these specific malicious components to protect organizations from further compromise.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Axios npm Supply Chain Attack Prompts Microsoft Mitigation Guidance appeared first on Cyber Security News.