Axios npm package
JavaScript HTTP library; v1.14.1 and v0.30.4 backdoored by North Korea's UNC1069 on 31 March 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
How many CI/CD pipelines automatically pulled the backdoored Axios version during the 3-hour window?
Timeline for Axios npm package
Compromised by UNC1069 via maintainer phishing with WAVESHAPER.V2 injected into two versions
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing- Is my Axios npm package safe after the 2026 backdoor?
- Axios v1.14.1 and v0.30.4 were backdoored between 00:21 and 03:20 UTC on 31 March 2026. If your package-lock.json shows either version was installed during that window, your environment should be treated as compromised. Update to the latest clean version and check for the plain-crypto-js dependency.Source: GTIG / Mandiant
- How did North Korea get into the Axios npm package?
- UNC1069 phished an Axios package maintainer to obtain npm publishing credentials, then used those credentials to push a new version containing the WAVESHAPER.V2 backdoor hidden inside the dependency plain-crypto-js.Source: GTIG
- What should developers do if they used Axios v1.14.1 or v0.30.4?
- Developers who installed Axios v1.14.1 or v0.30.4 during the 31 March 2026 window should update immediately, audit for the plain-crypto-js dependency, and treat affected build environments as potentially compromised pending forensic investigation.Source: GTIG / Mandiant
Background
The Axios npm package is a popular JavaScript HTTP client library used by developers across Node.js and browser environments to make API requests. As of early 2026, Axios v1.14.1 sees approximately 100 million weekly downloads and v0.30.4 approximately 83 million weekly downloads, making it one of the most-used packages in the npm ecosystem. On 31 March 2026, between 00:21 and 03:20 UTC, North Korea-nexus actor UNC1069 inserted the malicious dependency `plain-crypto-js` into both these versions after phishing a package maintainer and obtaining publishing credentials.
Any developer who ran `npm install` or any automated build pipeline that updated dependencies during the 2-hour 59-minute injection window may have installed the backdoored version containing WAVESHAPER.V2. Because CI/CD pipelines frequently run on schedules rather than manually, many organisations may have ingested the compromised package before the compromise was detected. Google Threat Intelligence Group and Mandiant disclosed the breach publicly on 5 May 2026 — 35 days after the injection.
The Axios incident follows a pattern of supply-chain attacks targeting high-download npm packages, including the 2021 ua-parser-js compromise and the 2023 node-ipc incident. The scale of Axios's weekly downloads amplifies the blast radius: even a short injection window can reach tens of thousands of build pipelines that auto-update their dependencies.