North Korean hackers hijack Axios open source project

Two malicious updates to Axios were live for about three hours on March 31 after attackers compromised the laptop of the project’s maintainer and published tainted packages, according to TechCrunch and a post-mortem by maintainer Jason Saayman. Axios is a widely used JavaScript library for making HTTP requests, embedded deep in web and mobile application stacks; a bad release can travel far before anyone notices. Saayman said the operation began roughly two weeks earlier with a slow social-engineering campaign that culminated in a fake “business” call and a malware download disguised as a meeting update.

The mechanics matter because they bypass the usual discussion about “secure coding” and land on the messier reality: open source is often a handful of volunteers maintaining infrastructure that large companies treat as a free utility. In this case, the attackers reportedly created a plausible Slack workspace, populated it with fake employee profiles, and used a web meeting invitation as the delivery mechanism. Once Saayman’s machine was under remote control, publishing rights to the project became the attack surface; the malicious packages were pushed out as legitimate releases rather than as a noisy intrusion into downstream companies.

Supply-chain security has improved in the last few years—more signing, more automated dependency scanning, more corporate “open source program offices”—but the Axios incident highlights the weak link those programs rarely fix: the human maintainer account at the top of the tree. A dependency scanner can flag known bad versions after the fact, but it cannot stop a maintainer from uploading them in the first place. The window between “publish” and “pull” is exactly when automated build systems do their job: they fetch the newest version and deploy it.

The likely goal was credential and key theft. TechCrunch reports that any system that installed the malicious versions may have exposed private keys, passwords and other secrets stored on developer machines, enabling follow-on breaches that look unrelated to Axios. That is consistent with a broader pattern attributed to North Korean operators, who have repeatedly used social engineering to gain remote access and then pivot into cryptocurrency theft. TechCrunch cites researchers at Google who have documented similar lures, and notes estimates that North Korean hacking groups stole at least $2 billion in cryptocurrency in 2025.

For companies that rely on open source, the incident is a reminder that “free” software is often paid for elsewhere: in emergency patching, incident response, and rushed internal audits when a core dependency is poisoned. For maintainers, it underlines how quickly a trusted release channel can become a distribution network for malware when the maintainer’s laptop is treated as production infrastructure.

The malicious Axios packages were removed within roughly three hours. By then, the internet had already done what it does best: replicate the latest build everywhere it could reach.