Attackers compromised the widely used Axios npm library by hijacking a maintainer's account to distribute a remote-access trojan, marking a significant supply chain security breach for developers.

Key points

• Attackers hijacked the npm account of Axios maintainer "jasonsaayman" to publish malicious versions 1.14.1 and 0.30.4.
• The compromised releases included a malicious dependency, "plain-crypto-js@4.2.1," which installed platform-specific backdoors on Windows, macOS, and Linux.
• Google’s Threat Intelligence Group attributed the sophisticated attack to the suspected North Korean threat actor UNC1069.
• The breach bypassed standard GitHub Actions CI/CD pipelines by manually pushing packages directly through the npm CLI.
• Developers who installed the affected versions are advised to rotate credentials and consider rebuilding compromised systems from scratch.

This incident highlights the severe risks inherent in software supply chains, where a single compromised account can expose millions of users to sophisticated malware. Because Axios is a foundational tool for web development, this breach demonstrates how attackers are increasingly targeting developer infrastructure to gain persistent access to enterprise environments.