What happened in the axios supply chain attack?

North Korean hackers faked a company, tricked maintainer Jason Saayman into RAT via Teams "update," published malware to npm versions 1.14.1/0.30.4. Lived 3 hours, hit unknown installs from 100M weekly pulls.

How did hackers bypass 2FA on npm?

RAT controlled the machine fully—read TOTP, swapped email, used tokens. Software 2FA fails post-compromise.

Is axios safe now and can npm prevent this?

Axios rotated everything; scan before install. npm needs CI-only enforcement—it's possible but not default yet.

📦 Open Source

North Korean Hackers Fake a Company to Pwn Axios Maintainer – RAT in 100M Downloads

Picture this: a Teams call with 'colleagues' from a polished fake company. One 'update' click later, North Koreans control your machine and poison a library with 100 million downloads. Open source just got conned.

DevTools Feed Apr 03, 2026 4 min read 14 views

Fake Slack workspace branded for phishing attack on axios maintainer

⚡ Key Takeaways

North Koreans used pro-level social engineering: fake Slack/Teams/company to RAT an axios maintainer. 𝕏
npm lacks OIDC enforcement; 2FA useless against full machine control. 𝕏
Scanners caught it fast, but 3 hours exposed millions—verify provenance always. 𝕏

Published by

DevTools Feed

Ship faster. Build smarter.

#axios supply chain attack #north-korean-hackers #npm-security #social-engineering-oss

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to

⚡ Key Takeaways

The 60-Second TL;DR

DevTools Feed

Share this article

Worth sharing?

Related Stories

Axios 1.14.1: The NPM Hijack That Stole Your SSH Keys in Seconds

Anthropic's Claude Code Leaks Entire Source—Via NPM Debug File, Not a Hack

I Installed a Compromised npm Package with Claude Code — Then Built This Plugin to Stop It

ESLint Creator Nicholas Zakas: GitHub's npm Fixes Are Mere Table Stakes

Stay in the loop