The Axios Hack Spotlight Cards

9 cards (intro + 8)

CYBER INCIDENT

The Axios Hack

How North Korean hackers turned a routine software install into a cyber weapon

@worldincards

Sources

The Axios Hack

Microsoft: Mitigating the Axios npm supply chain compromise

Google: North Korea-Nexus Threat Actor Compromises Axios NPM Package

Nextgov: North Korea-linked hackers suspected in Axios hijack

@worldincards

CYBER INCIDENT

The Attack

On March 31, 2026, hackers slipped a hidden spy program into a popular software tool. Any developer who ran a routine install had their computer silently taken over, before the install even finished.

Window of danger

The poisoned software was live for about 3 hours before anyone noticed

100M

Downloads per week

How many times this tool is normally downloaded every week

1.1s

Seconds to infect

The spy program called home before the download even finished

@worldincards

Sources

The Attack

Nextgov: North Korea-linked hackers suspected in Axios hijack

DEV Community: The Axios npm Supply Chain Attack

@worldincards

CYBER INCIDENT

Axios Library

Axios is a tool that helps apps talk to the internet. Most websites and apps you use daily rely on it behind the scenes, from online banking to food delivery to social media.

100M+

Downloads every week

One of the most popular software building blocks in the world

174K

Apps built on it

Other tools and apps that depend on Axios to function

80%

Of cloud systems use it

Found in 4 out of 5 cloud environments worldwide

@worldincards

Sources

Axios Library

Orca Security: Axios Supply Chain Attack Analysis

Hive Security: The Package You Trusted

@worldincards

CYBER INCIDENT

npm Registry

npm is like an app store for developers. When building apps, they download ready-made building blocks from npm. The catch: installing a package can secretly run code on your computer with full access to your files.

2M+

Packages available

Millions of building blocks developers can install with one command

Sandboxing

Downloaded code runs with full access to your files, passwords, and keys

auto

Scripts run silently

Install scripts execute automatically without asking for permission

@worldincards

Sources

npm Registry

Stack Overflow: Does npm install run in a sandbox?

Linux Security: npm High Dependency Risk Alert

@worldincards

CYBER INCIDENT

Jason Saayman

The lead maintainer of Axios. Hackers stole his account credentials and used his trusted identity to publish the poisoned versions. It's like a thief stealing a pharmacist's keys to swap medicine on the shelves.

Account was all it took

One stolen login gave hackers the keys to the kingdom

2FA

Security disabled

Attackers changed the email address and disabled protections

0:21

UTC - first poison published

Released after midnight to maximize time before anyone noticed

@worldincards

Sources

Jason Saayman

Bitdefender: Technical Advisory on Axios Attack

Security Boulevard: Poisoned Axios

@worldincards

CYBER INCIDENT

Blue Noroff

A North Korean government hacker group, also known as Sapphire Sleet. Part of the infamous Lazarus Group. They specialize in stealing cryptocurrency to fund the regime and have been active since at least 2018.

2018

Active since

At least 8 years of sophisticated cyberattacks worldwide

DPRK

State-sponsored

Backed by the North Korean government to generate revenue

Known aliases

UNC1069, Sapphire Sleet, TA444, CryptoCore, and more

@worldincards

Sources

Blue Noroff

Google: North Korea-Nexus Threat Actor Targets Axios

Hunt.io: Axios Attack and the BlueNoroff Connection

Microsoft: Sapphire Sleet Attribution

@worldincards

CYBER INCIDENT

The Trojan

The hackers planted a Remote Access Trojan, a hidden spy program that gives full control over an infected computer. It could read files, steal passwords, run commands, and download more malware. Then it erased its own tracks.

Platforms targeted

Custom-built spy programs for Windows, Mac, and Linux

60s

Check-in with hackers

The spy program contacted the hackers every 60 seconds for orders

auto

Self-destructing

Deleted its own files after installing to avoid detection

@worldincards

Sources

The Trojan

StepSecurity: axios Compromised on npm

Huntress: Supply Chain Compromise of axios

@worldincards

CYBER INCIDENT

Step Security

The security company that first caught the attack and raised the alarm. Their AI-powered monitoring spotted the suspicious behavior within hours, limiting the damage before millions more could be infected.

< 3h

Time to detect

Spotted and reported before the attack could spread further

How they caught it

Their AI Package Analyst flagged the hidden malicious dependency

Lines of Axios changed

The attackers never touched Axios itself, only added a hidden extra

@worldincards

Sources

Step Security

StepSecurity: axios Compromised on npm

Help Net Security: North Korean hackers linked to Axios compromise

@worldincards

CYBER INCIDENT

The Fallout

Any developer who installed the poisoned version should assume their entire machine is compromised. Passwords, cloud keys, access tokens, everything. The full impact is still being uncovered weeks later.

ALL

Secrets at risk

Passwords, SSH keys, cloud tokens, API keys, everything on the machine

Warnings shown

No popup, no alert. The malware ran silently during a routine install

wipe

Recovery method

Affected machines should be wiped and rebuilt from scratch

@worldincards

Sources

The Fallout

GovInfoSecurity: Backdooring of Axios Tied to North Korea

Orca Security: Axios Supply Chain Attack Remediation

@worldincards

9 cards · the axios hack