On March 31, 2026, Microsoft identified two new versions of the npm package Axios (1.14.1 and 0.30.4) as malicious. These packages contain a hidden dependency that downloads second-stage payloads from command and control servers. This incident is attributed to the North Korean state-affiliated group Sapphire Sleet, known for its supply chain attacks.
Mitigating the Axios npm supply chain compromise
ARCHIVE This story is marked as archive content due to its age and may not reflect the current state of events.
Summary: Microsoft reveals that two new versions of Axios npm released on March 31, 2026, contain malware and are attributed to the North Korean state-affiliated group Sapphire Sleet.
Key facts
- Two new versions of Axios npm were identified as malicious (1.14.1 and 0.30.4)
- The malware downloads second-stage payloads from command and control servers
- The North Korean state-affiliated group Sapphire Sleet is responsible for the incident
Why it matters
This incident demonstrates how threat actors can use popular open-source packages to compromise large-scale systems. Organizations must remain vigilant and verify their npm dependencies versions.