Axios npm Package Backdoored by North Korean Threat Actor (UNC1069)

Scope: JavaScript/Node.js developers, CI/CD pipelines using Axios

Severity: Red

The npm account of the primary Axios maintainer was compromised, and attackers published two backdoored versions (1.14.1 and 0.30.4) containing a malicious dependency that, upon installation, deployed a cross-platform remote access trojan (RAT) targeting Windows, macOS, and Linux. Google's Threat Intelligence Group attributed the attack to North Korean actor UNC1069, known for targeting centralized exchanges and software developers. During the roughly three-hour exposure window, the malicious versions were downloaded by approximately 3% of the Axios userbase significant given the package sees over 100 million weekly downloads. Developers who installed the affected versions should treat systems as fully compromised, rebuild from known-good state, and rotate all credentials including npm tokens, AWS keys, SSH keys, and CI/CD secrets.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

Citrix NetScaler ADC/Gateway — Active Exploitation (CVE-2026-3055)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

Axios npm Package Backdoored by North Korean Threat Actor (UNC1069)

RELATED ADVISORIES

Citrix NetScaler ADC/Gateway — Active Exploitation (CVE-2026-3055)

Recent Advisories

Categories