The axios@1.14.1 Attack: What Happened and How to Protect Your Team
In March 2026, North Korean threat group UNC1069 hijacked the npm account of an axios maintainer and published a malicious version of the most depended-upon HTTP library in the JavaScript ecosystem. The package has over 100 million weekly downloads. The compromised version was live for roughly two hours before npm pulled it.
Published April 2, 2026
What happened
UNC1069, a North Korean state-sponsored threat actor previously linked to cryptocurrency theft campaigns, compromised the npm credentials of an axios maintainer through a targeted phishing attack. Using those credentials, they published axios@1.14.1 with a modified build that included a remote access trojan (RAT) in the post-install lifecycle script.
The RAT established a persistent connection to attacker-controlled infrastructure, enabling remote code execution on any machine that installed the compromised version. Given that axios sits in the dependency tree of millions of projects, the blast radius was enormous. CI pipelines, developer laptops, and staging servers were all exposed.
npm detected the compromise within two hours and unpublished the malicious version. But two hours is a long time in a package ecosystem with 100 million weekly downloads. Conservative estimates suggest tens of thousands of installs occurred during the window.
- March 2026, T+0 — Maintainer credentials compromised via phishing
- March 2026, T+30m — axios@1.14.1 published with RAT payload in postinstall script
- March 2026, T+2h — npm detects anomaly, unpublishes 1.14.1
- March 2026, T+3h — GitHub Advisory published (CVE assigned)
Why this attack matters
Previous high-profile npm attacks targeted packages with 2 to 24 million weekly downloads. axios has 100 million. It is a direct dependency of Create React App, Next.js starters, Vue CLI templates, and thousands of enterprise applications. An attack on axios is an attack on the entire JavaScript ecosystem.
The two-hour window may seem short, but npm installs happen constantly across CI systems, developer machines, and automated deployments. Any system that ran npm install during those two hours and resolved axios@1.14.1 was compromised.
Which nproxy rules would have caught it
Four of nproxy's seven security rules are directly relevant to the axios attack pattern. Any one of them would have prevented the compromised version from reaching your machines.
nproxy checks every package version against Socket.dev's malware intelligence feed. The RAT payload in axios@1.14.1 matched known malware signatures. This rule blocks the package before it reaches your machine.
axios had been published by the same small group of maintainers for years. When UNC1069 published 1.14.1 using the compromised account, the publish identity differed from the historical pattern. nproxy flags this transition at install time.
The malicious payload was delivered via a postinstall lifecycle script. axios does not normally have install scripts. nproxy detects the presence of lifecycle scripts and warns before execution.
The first_seen rule quarantines newly published versions for a configurable window (default: 7 days). axios@1.14.1 would have been blocked during this quarantine period, giving the ecosystem time to vet the release before it reaches your dependency tree.
$ npm install axios
resolving packages via acme.nproxy.app...
BLOCKED axios@1.14.1 — malware: RAT payload detected
WARN axios@1.14.1 — publisher_change: published by compromised account
WARN axios@1.14.1 — install_scripts: postinstall script detected
resolved to axios@1.14.0 (last safe version)
added 1 package in 0.9s
$
The lesson
Two hours was all it took. npm's response was fast, but the damage was already done for thousands of teams. Scanners that run in CI catch compromised packages after they have been installed and potentially executed. Tools that require developers to use a special CLI wrapper add friction that gets bypassed.
nproxy evaluates packages at the registry layer, before they reach your machine. There is nothing to install, no wrapper to remember, no CI step to configure. One line in .npmrc and every npm install is protected.
Start protecting your team in 30 seconds
One line in .npmrc. No CLI to install. No developer workflow changes. Your team keeps using their tools as usual — nproxy enforces policy at the registry layer.