How to Mitigate the Axios Supply Chain Compromise in npm

Summary: Microsoft Threat Intelligence identified versions 1.14.1 and 0.30.4 of Axios as part of an attack attributed to Sapphire Sleet, a state-sponsored North Korean threat actor.

On March 31, 2026, Microsoft Threat Intelligence flagged versions 1.14.1 and 0.30.4 of the Axios package on npm as malicious. Both included a fake dependency used to download payloads from control-and-command domains associated with Sapphire Sleet, a state-sponsored North Korean threat actor.

The case is particularly sensitive because Axios is a widely utilized component in JavaScript applications, both on the client and server sides. This immediately expands the attack surface, making rapid response an operational necessity: identifying affected installations, containing the execution of the compromised package, and rotating potentially exposed secrets.

Key facts

Sapphire Sleet, a state-sponsored North Korean group, was identified as the actor behind the compromise.
Two malicious versions of Axios were detected on npm: 1.14.1 and 0.30.4.
The infection was identified by Microsoft Threat Intelligence.

Why it matters

A compromise in such a widespread package as Axios can put systems, credentials, and development pipelines at risk very quickly; hence early mitigation is critical.

Structured details

Industry: cybersecurity
Source type: media
Claim status: confirmed
Verification: claimed_by_source

Source: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/

Published on 04/01/2026