The Axios npm Compromise: Why Trusted Dependencies Still Need Evidence
· 5 min read
On 31 March 2026, Google Threat Intelligence reported a software supply-chain attack against the widely used axios npm package. The attacker introduced a malicious dependency, plain-crypto-js, into axios npm releases 1.14.1 and 0.30.4.
The malicious dependency used a postinstall hook to deploy the cross-platform WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Google attributed the activity to a North Korea-nexus actor tracked as UNC1069.
