Security Advisory: Response to Axios npm Supply Chain Incident (March 2026)
Overview
In late March 2026, a significant cybersecurity incident made headlines across the global software industry — one that affected a tool used by virtually every major technology company in the world.
This article explains what happened, why it matters, and what Vyro has done in response. We've written it to be understood without a technical background.
A bit of context: what is npm?
Modern software is rarely built entirely from scratch. Instead, developers rely on shared, reusable building blocks — called packages or libraries — that handle common tasks like sending data between systems, formatting dates, or managing user logins.
npm (Node Package Manager) is the world's largest software registry and the industry standard for sharing these building blocks. It hosts over 2.5 million packages and serves more than 10 billion downloads per week. If you've used almost any app, website, or digital service in the last decade, it was almost certainly built using code distributed through npm.
Think of npm like a giant, trusted hardware store that software developers around the world rely on daily. When a developer needs a specific tool, they simply pull it from npm rather than building it themselves — it's faster, more reliable, and universally accepted practice.
What is Axios?
Axios is one of the most popular packages on npm, downloaded over 100 million times every week. It handles one of the most fundamental tasks in modern software: sending and receiving data between systems over the internet. It's used by startups and Fortune 500 companies alike — it is, by any measure, critical internet infrastructure.
Why this attack is significant
On 31 March 2026, attackers — widely attributed to a North Korean state-sponsored group — targeted Axios directly. State-sponsored cyberattacks of this kind represent the highest tier of threat in the security world: they are well-resourced, highly sophisticated, and deliberately designed to cause maximum impact.
Rather than attacking individual companies one by one, the attackers chose a smarter and far more damaging approach: compromise the supply chain itself. By gaining access to the account of an Axios maintainer (one of the people responsible for publishing updates), they were able to push malicious versions of Axios to npm — meaning any developer who installed or updated Axios during that window could have unknowingly received compromised software.
This type of attack is known as a software supply chain attack, and it is increasingly common. It exploits the trust that the entire industry places in shared tools and registries like npm.
This advisory outlines:
- What happened
- The potential impact
- The actions we have taken at Vyro
What Happened
Attackers — widely attributed to a North Korean state-sponsored group — gained access to the npm account of an Axios maintainer and published two malicious package versions:
axios@1.14.1axios@0.30.4
How the attack worked
- The malicious versions did not alter Axios source code directly
- Instead, they injected a hidden dependency:
plain-crypto-js@4.2.1 - This dependency executed a post-install script, which:
- Downloaded a remote access trojan (RAT)
- Connected to attacker-controlled infrastructure
- Deployed platform-specific payloads (macOS, Windows, Linux)
- Attempted to exfiltrate credentials and sensitive data
- Removed traces of itself to evade detection
Exposure window
The compromised packages were available on npm for approximately 2–3 hours before removal.
Despite the short window, the scale of Axios usage means the potential blast radius was significant, with downstream impact across thousands of projects.
Potential Impact
Systems may have been at risk only if they installed or updated Axios during the exposure window.
If affected, the malicious payload could have:
- Provided attackers with remote system access
- Allowed credential theft (API keys, tokens, secrets)
- Enabled persistence within development or CI/CD environments
Security guidance from multiple vendors recommends treating affected systems as potentially fully compromised and rotating all secrets.
Vyro's Assessment
We conducted an immediate and comprehensive review across our systems.
Findings
- We use Axios extensively across our platform
- We performed:
- Full dependency audits
- Lockfile verification across all services
- CI/CD pipeline inspection
- No affected versions (
1.14.1or0.30.4) were identified anywhere in our codebase or build pipelines
Conclusion: We have no evidence of exposure or compromise related to this incident.
Precautionary Actions Taken
Although no impact was detected, we implemented a number of proactive security measures aligned with industry best practice.
1. Credential & Secret Rotation
We rotated all high-sensitivity credentials, including:
- API keys
- Cloud access credentials
- Internal service tokens
- CI/CD secrets
This ensures protection against any theoretical or indirect exposure.
2. Dependency & Supply Chain Hardening
- Verified all package versions across environments
- Locked dependencies to known-safe versions
- Reviewed automated update processes
3. Build & Pipeline Review
- Audited recent CI/CD runs for anomalies
- Confirmed no execution of compromised packages
- Reinforced monitoring for dependency changes
4. Additional Safeguards
- Increased monitoring of package installations and build-time script execution
- Reviewed controls around third-party dependencies and package integrity verification
Our Position on Supply Chain Security
This incident reinforces a broader industry reality:
Modern applications depend heavily on open-source ecosystems, making software supply chains a primary attack surface.
At Vyro, we treat this as a core security priority. Our approach includes:
- Continuous dependency monitoring
- Strict version control and review processes
- Defence-in-depth across build and runtime environments
- Rapid response protocols for emerging threats
Ongoing Monitoring
We continue to:
- Monitor threat intelligence related to this incident
- Track any downstream disclosures or indicators of compromise
- Review and improve our internal security posture
Summary
| Item | Status |
|---|---|
| Affected versions in codebase | None identified |
| Evidence of compromise | None |
| Secrets rotated | Yes |
| Dependencies audited & locked | Yes |
| CI/CD pipelines reviewed | Yes |
| Ongoing monitoring | Active |
A highly sophisticated, state-linked attack briefly compromised Axios via npm. The malicious versions were live for a limited window (~3 hours). Vyro has no exposure to affected versions. As a precaution, we have rotated critical secrets and strengthened controls.
We will continue to prioritise the security and integrity of our platform and respond proactively to emerging threats.
