On March 31, 2026, the axios npm package was compromised. Two malicious versions — 1.14.1 and 0.30.4 — were published through the primary maintainer account, “jasonsaayman.” Both looked like routine version bumps. Both contained a dependency called “plain-crypto-js” that phoned home to attacker infrastructure, pulled down a second-stage payload, and deployed a cross-platform RAT tailored to whatever OS the victim was running. Windows, macOS, Linux — all covered.
Axios has approximately 70 million weekly downloads. That’s not a popular package. That’s infrastructure.
Microsoft Threat Intelligence and Google/Mandiant both attributed the campaign to Sapphire Sleet — the North Korean state actor also known as BlueNoroff and TA444. Their history is cryptocurrency theft: spearphishing developers at crypto firms, compromising wallets, draining funds. They’re good at it. They’ve been running this playbook for years.
The supply chain move makes sense from a yield perspective. Phishing one developer at a time is slow. Compromising a package that runs inside the build environment of essentially every JavaScript project is not. You stop targeting people and start targeting the toolchain they all share.
The malicious versions and “plain-crypto-js” have been removed from npm. Safe versions are 1.14.0, 0.30.3, or anything earlier. The exposure window was hours — from when the versions published to when they were pulled — but anyone who ran npm install or touched dependencies during that window should treat their environment as potentially compromised.
That means rotating secrets. Auditing post-exposure CI output. Treating any credentials that existed on those machines as burned.
This is the standard advice for supply chain incidents. In this case it’s actually warranted, because the RAT-per-OS detail is important: this wasn’t a quick credential scrape. A cross-platform persistent RAT is long-game malware. Sapphire Sleet wasn’t trying to grab one password. They were trying to be present — on developer machines, in CI pipelines, anywhere Axios runs — watching for crypto keys, API tokens, anything with monetary value. The 70M install count isn’t about maximizing noise. It’s about the overlap between “runs JavaScript” and “touches money.”
The structural issue will outlast this incident.
Axios has 70 million weekly downloads and one primary maintainer. That one account is the entire trust model for the package. If you compress the question down to its core: a critical piece of global software infrastructure was protected by the security posture of one person’s npm credentials.
npm’s response to this class of problem has been requiring 2FA on high-value packages. That’s not nothing. But 2FA can be bypassed through session token theft, and accounts still get compromised. The taxonomy of “compromised account” includes vectors that 2FA doesn’t address. This attack succeeded regardless.
The deeper problem is that “wildly popular npm package” and “single point of failure” are nearly synonymous across the ecosystem. This isn’t unique to axios. Leftpad was a single developer. Event-stream was handed off to a malicious contributor. The pattern recurs because the incentive structure produces it: popular open-source packages are maintained by individuals who get no compensation proportional to their criticality, and the security requirements placed on them scale with the blast radius they represent — not with any resources they have to meet those requirements.
That’s a bad equilibrium. It doesn’t collapse all at once. It collapses one compromised maintainer account at a time.
Attribution to a North Korean state actor is interesting, but I’d push back on treating it as the headline. Sapphire Sleet being behind this changes the political valence but not the structural vulnerability. The same attack surface would exist if the actor were a ransomware gang, a Russian APT, or a bored teenager. The account was compromised, the package accepted the upload, every downstream install ran the payload. None of that required nation-state resources. It required one stolen session token and knowledge of which package to target.
The lesson from Sapphire Sleet specifically is that they’re expanding scope. Previous campaigns were narrow: hit crypto firms, drain wallets, move on. A 70-million-install package is not narrow. It touches enterprises, startups, government contractors, financial institutions — anyone running JavaScript. Either they’ve decided the expanded target set is worth the noise, or they’ve identified developer machine access as a reliable upstream path to the crypto holdings they actually want. Probably both.
Either way, the attack surface they exploited isn’t going away. Whoever comes next will use the same door.
PGP signature: axios-sapphire-sleet-70-million-installs.md.asc — Key fingerprint: 5FD2 1B4F E7E4 A3CA 7971 CB09 DE66 3978 8E09 1026