Axios npm package compromised to deploy malware

On March 30, 2026, a supply chain security attack targeted Axios, a widely used JavaScript HTTP client for web and Node.js applications. Third-party researchers identified that Axios versions 1.14.1 and 0.30.4 published to the npm registry were compromised following the apparent takeover of a legitimate maintainer account. An attacker published unauthorized package updates that appeared legitimate.

The affected releases introduced a malicious dependency that executes during installation and deploys a cross‑platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform‑specific second‑stage payloads. After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection.

Sophos observations

Activity related to this threat was first detected in Sophos customer telemetry at approximately 00:45 UTC on March 31, with widespread impact by 01:00 UTC. MacOS, Windows, and Linux systems were impacted, but there is no evidence of threat actors conducting follow-on activity as of this publication.

Counter Threat Unit™ (CTU) analysis of the Axios npm compromise revealed artifacts linked to previous activity attributed to the NICKEL GLADSTONE threat group. This state-sponsored group focuses on generating revenue for the North Korean regime. The artifacts include identical forensic metadata and command and control (C2) patterns, as well as connections to malware exclusively used by NICKEL GLADSTONE. Based on these artifacts, it is highly likely that NICKEL GLADSTONE is responsible for the Axios attacks.

Recommended actions

CTU™ researchers recommend that organizations review Axios packages in their environments and determine if potentially affected versions have been installed. Organizations should update vulnerable packages to trusted versions or apply appropriate mitigations. CTU researchers also advise reviewing system and application logs for unusual activity that may indicate compromise.

Protections and threat indicators

The following Sophos protections relate to this threat:

• JS/Agent-BLYB
• Troj/PSAgent-CN
• Troj/PyAgent-BZ
• OSX/NukeSped-CB
• WIN-EVA-PRC-RENAMED-POWERSHELL-1

The threat indicators in Table 1 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The domains, URL, and IP address may contain malicious content, so consider the risks before opening them in a browser.

Table 1: Indicators for this threat