North Korean hackers hijacked Axios in a supply chain attack that took weeks to set up
A widely used project turned into a cyberattack vector
A North Korean cyber operation briefly hijacked Axios, one of the web’s most widely used open-source projects, in a March 31 attack that appears to have been weeks in the making. The compromise underscores how state-backed hackers are increasingly targeting trusted software infrastructure, where a single breach can ripple across thousands of systems.
Axios is a popular JavaScript library used by developers to connect applications to the internet. Because it sits inside so many software builds, a compromise of the project can have consequences far beyond the project itself. In this case, the malicious updates were live for only about three hours before being pulled, but that window may still have been enough to infect thousands of systems.
The attack was documented in a post-mortem by Jason Saayman, who maintains the project and laid out the timeline of the compromise. According to Saayman, the attackers began targeting him about two weeks before they gained control of his computer and used it to publish malicious code.
A long con built on trust
The operation relied less on brute force than on patience. Saayman said the attackers posed as a real company, created a convincing Slack workspace, and filled it with fake employee profiles to make the ruse look legitimate. They then invited him to a web meeting that prompted him to download malware disguised as an update required to join the call.
Saayman said the lure matched a technique previously associated with North Korean hackers and identified by Google security researchers: a social-engineering approach that convinces targets to install software that gives attackers remote access. In this case, that access appears to have been the key to pushing the malicious Axios releases.
The incident illustrates why open-source maintainers have become such high-value targets. Popular projects are often maintained by small teams or even a single developer, yet they can be embedded in countless applications and services. That makes the personal devices of maintainers an attractive entry point for attackers looking to compromise software at scale.
The risk extends far beyond one project
Protect your privacy with Doppler VPN
3-day free trial. No registration. No logs.
The malicious Axios packages were removed quickly, but not before they had a chance to spread. Any system that installed one of the compromised versions during the brief exposure window may have been vulnerable to theft of private keys, credentials, and passwords stored on that machine. Those stolen secrets can then be used to move deeper into other systems and services, turning a software supply chain incident into a broader breach.
That possibility is what makes this kind of attack so concerning. The immediate victim may be a developer’s laptop or a single package repository, but the eventual target can be far more expansive: the users and organizations that trust the project as part of their own software stack.
The Axios incident also fits a broader pattern. North Korean hackers remain among the most active cyber threats on the internet, and they have repeatedly been linked to operations that combine social engineering, credential theft, and remote-access malware. Their campaigns often blur the line between espionage and financially motivated crime, with cryptocurrency theft frequently part of the mix.
A familiar playbook, a larger warning
What makes this latest compromise stand out is not just the target, but the methodical way it unfolded. The attackers did not simply exploit a technical flaw in the project’s code. They invested time in building a believable identity, gaining the maintainer’s trust, and eventually obtaining access to the machine used to publish official updates.
That approach highlights a difficult reality for open-source ecosystems: the security of widely used software depends not only on code review and package monitoring, but also on the personal defenses of the people who maintain the code. As state-sponsored hackers and criminal groups continue to target those maintainers, the supply chain itself becomes a frontline in cyber conflict.
Saayman did not immediately respond to follow-up questions about the incident. The full scope of the compromise is still being assessed, but the lesson is already clear: when trusted software is hijacked, the blast radius can extend well beyond the project that was breached.
Sources: