Forty-five million weekly downloads. One compromised maintainer. Three hours of exposure before anyone noticed.
That’s the math on the Axios incident.
In late March, North Korean state-sponsored hackers poisoned Axios: a JavaScript HTTP client library embedded in the technology stacks of Microsoft, Stripe, and thousands of smaller firms. The attack took roughly two weeks to execute through social engineering. The malicious packages were live for about three hours before being pulled. If your system installed updates during that window, you may have been exposed. The attack was attributed to the Lazarus Group by researchers at Socket Security and confirmed through analysis by Phylum.
How the attack unfolded
According to a detailed technical writeup published by Socket Security’s research team, the hackers began their targeting campaign roughly two weeks before gaining control of a maintainer’s computer. The playbook was patient and specific: the attackers posed as employees of a real company, created a convincing Slack workspace, and used fake employee profiles to build credibility over multiple interactions. This social engineering methodology is consistent with what Mandiant has documented as Lazarus Group tradecraft in its tracking of the cluster it designates as UNC4899.
The final step was a web meeting invitation that prompted the target to download what appeared to be a software update required to join the call. The download was malware. It granted the attackers remote access to the system. The lure closely matched a technique the FBI attributed to North Korean cyber actors in a September 2023 advisory warning about social engineering campaigns targeting cryptocurrency and decentralized finance developers. Once inside, the hackers published two poisoned Axios packages that could steal private keys, credentials, and passwords from any system that installed them.
Two weeks of work. Three hours of exposure. Thousands of potential victims.
The three-hour exposure window
The malicious packages were live for approximately three hours before being identified and removed, according to the npm security team’s incident timeline. The full scope of the compromise remains unclear, but any system that pulled the tainted update during that window may have been exposed. For a library as widely depended upon as Axios, with over 45 million weekly npm downloads and listed as a dependency in more than 115,000 GitHub repositories, even a brief window of compromise can cascade through thousands of downstream projects and production environments.
You’re running Axios right now. Probably.
Why this is attributed to North Korea
The attribution rests on multiple converging indicators, and none of them are subtle. Socket Security’s analysis identified code-level overlaps between the malicious payload injected into the Axios packages and malware samples previously attributed to the Lazarus Group by Kaspersky’s Global Research and Analysis Team (GReAT). The command-and-control infrastructure shared domain registration patterns and TLS certificate fingerprints with servers linked to prior Lazarus operations targeting cryptocurrency platforms. The social engineering playbook: fake company identities, fabricated Slack workspaces, malicious meeting software. All of it matches techniques the FBI and CISA have jointly attributed to North Korean cyber operations in multiple public advisories. The credential-harvesting focus of the payload is consistent with Pyongyang’s known strategic objective of circumventing international financial sanctions through cyber theft, an operation the U.S. Treasury has linked to revenue generation for the regime’s weapons programs.
Open source as a strategic attack surface
The Axios incident fits a structural pattern: critical open source infrastructure maintained by individuals or small teams, with no meaningful institutional support for security. The economics here create a persistent asymmetry. Volunteer maintainers operate with limited resources while state-backed adversaries apply professional-grade social engineering campaigns lasting weeks or months. The incentive structure rewards attackers who invest patience in building trust with a single gatekeeper.
One person. That’s the security perimeter for software running on millions of machines.
North Korea operates extensive hacking units, which the U.S. Treasury, FBI, and United Nations Panel of Experts have documented in detail. Many of these operatives work under coercion, tasked with circumventing international financial sanctions through cyber theft. The regime was responsible for an estimated $1.7 billion in cryptocurrency theft in 2023 alone, according to Chainalysis. Supply chain attacks on open source projects offer a force multiplier: compromise one maintainer, access thousands of systems, harvest credentials at scale.
A systemic vulnerability
The broader question the Axios compromise raises is one of institutional design. The global software supply chain depends heavily on open source projects that lack security infrastructure commensurate with their importance. As state actors increasingly treat digital infrastructure as strategic terrain, the gap between the criticality of these projects and the resources available to protect them continues to widen. North Korea’s playbook works precisely because the structural incentives haven’t changed: the people who maintain foundational software still bear the security burden largely alone.
Feature image by Tima Miroshnichenko on Pexels
Click Here For The Original Source.
