How to Mitigate the Axios Supply Chain Compromise in npm

ARCHIVE This story is marked as archive content due to its age and may not reflect the current state of events.

Summary: Microsoft Threat Intelligence identified versions 1.14.1 and 0.30.4 of Axios as part of an attack attributed to Sapphire Sleet, a state-sponsored North Korean threat actor.

On March 31, 2026, Microsoft Threat Intelligence flagged versions 1.14.1 and 0.30.4 of the Axios package on npm as malicious. Both included a fake dependency used to download payloads from control-and-command domains associated with Sapphire Sleet, a state-sponsored North Korean threat actor.

The case is particularly sensitive because Axios is a widely utilized component in JavaScript applications, both on the client and server sides. This immediately expands the attack surface, making rapid response an operational necessity: identifying affected installations, containing the execution of the compromised package, and rotating potentially exposed secrets.

Key facts

Sapphire Sleet, a state-sponsored North Korean group, was identified as the actor behind the compromise.
Two malicious versions of Axios were detected on npm: 1.14.1 and 0.30.4.
The infection was identified by Microsoft Threat Intelligence.

Why it matters

A compromise in such a widespread package as Axios can put systems, credentials, and development pipelines at risk very quickly; hence early mitigation is critical.

Structured details

Industry: cybersecurity
Source type: media
Claim status: confirmed
Verification: claimed_by_source

Source: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/

Published on 04/01/2026