On March 31, 2026, Microsoft identified two new versions of the npm package Axios (1.14.1 and 0.30.4) as malicious. These packages contain a hidden dependency that downloads second-stage payloads from command and control servers. This incident is attributed to the North Korean state-affiliated group Sapphire Sleet, known for its supply chain attacks.
Mitigating the Axios npm supply chain compromise
Summary: Microsoft reveals that two new versions of Axios npm released on March 31, 2026, contain malware and are attributed to the North Korean state-affiliated group Sapphire Sleet.
Key facts
- Two new versions of Axios npm were identified as malicious (1.14.1 and 0.30.4)
- The malware downloads second-stage payloads from command and control servers
- The North Korean state-affiliated group Sapphire Sleet is responsible for the incident
Why it matters
This incident demonstrates how threat actors can use popular open-source packages to compromise large-scale systems. Organizations must remain vigilant and verify their npm dependencies versions.