Axios, a tool widely used to develop software applications, was compromised overnight, introducing a vulnerability in a key part of the internet’s plumbing.
Hackers were able to breach one of the few accounts that can release new versions of Axios late Monday and published malicious versions of it. Axios, or Axios NPM, is a client that software developers use to send requests to servers — allowing software to connect to the web — and is downloaded about 80 million times every week. NPMs are reusable packages of code that make it faster to develop software.
Google’s Threat Intelligence Group linked the compromise to a suspected North Korean hacking group.
The hacked code was live for about three hours before it was discovered and removed from circulation. The extent of the damage and the purpose of the breach are still unclear.
“North Korean hackers have deep experience with supply chain hacks, which they primarily use to steal cryptocurrency,” said John Hultquist, chief analyst for the Google group, in a statement. “The full breadth of the incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”
The malicious code could be used to breach major operating systems including Windows, macOS and Linux, according to John Hammond, senior principal security researcher at the cybersecurity firm Huntress. “The scope of this compromise is significant” because of how widespread the Axios product is, he said. Anyone who has downloaded the malicious version of Axios could then have their own computer — and the data stored on it — stolen by hackers.
This type of supply-chain hack — where a bad actor gets into a system through a vulnerability in a third party — has become more common in recent years. In 2020, a suspected Russian state sponsored group breached software manufactured by the US company SolarWinds and deployed a malicious update, which led to follow-on compromises at nine US government agencies and about 100 companies.
“The primary concern is no longer initial access alone, but the potential blast radius and the extent of any compromise already established,” Jon Robertson, managing director at Australian cybersecurity firm Tarian Cyber, said in an email.
Robertson and Hammond each said they’d seen an impact from the attack by Tuesday morning. Robertson said software development companies and internal developers had been affected by the hack. Hammond had identified at least 135 compromised computers.
Rafe Pilling, director of threat intelligence in the Sophos Counter Threat Unit, described the incident as serious but said the damage appeared to have been limited. “Fortunately it was detected early which has likely blunted the intended impact,” he said.
Axios is maintained by a community of contributors on the GitHub platform, rather than by a single company, and its code can be viewed by anyone. The hackers targeted one of the main developers responsible for maintaining it, breaching his GitHub account, according to researchers who examined the attack, including StepSecurity.
The attack, designed to cover the hacker’s tracks, was one of the “most operationally sophisticated supply chain attacks” ever documented against a large NPM, according to the StepSecurity analysis. The attackers created a system to install a harmful script before self-destructing, hiding the attack from developers inspecting the code. “This was not opportunistic. It was precision,” the research said.
Photo: Photo credit: Jason Alden/Bloomberg
Copyright 2026 Bloomberg.
Topics
Cyber
Interested in Cyber?
Get automatic alerts for this topic.
