Help CenterSecuritySecurity Advisory: Response to Axios npm Supply Chain Incident (March 2026)
Back to Security

Security Advisory: Response to Axios npm Supply Chain Incident (March 2026)

Last updated April 20, 2026

Overview

In late March 2026, a significant cybersecurity incident made headlines across the global software industry — one that affected a tool used by virtually every major technology company in the world.

This article explains what happened, why it matters, and what Vyro has done in response. We've written it to be understood without a technical background.


A bit of context: what is npm?

Modern software is rarely built entirely from scratch. Instead, developers rely on shared, reusable building blocks — called packages or libraries — that handle common tasks like sending data between systems, formatting dates, or managing user logins.

npm (Node Package Manager) is the world's largest software registry and the industry standard for sharing these building blocks. It hosts over 2.5 million packages and serves more than 10 billion downloads per week. If you've used almost any app, website, or digital service in the last decade, it was almost certainly built using code distributed through npm.

Think of npm like a giant, trusted hardware store that software developers around the world rely on daily. When a developer needs a specific tool, they simply pull it from npm rather than building it themselves — it's faster, more reliable, and universally accepted practice.


What is Axios?

Axios is one of the most popular packages on npm, downloaded over 100 million times every week. It handles one of the most fundamental tasks in modern software: sending and receiving data between systems over the internet. It's used by startups and Fortune 500 companies alike — it is, by any measure, critical internet infrastructure.


Why this attack is significant

On 31 March 2026, attackers — widely attributed to a North Korean state-sponsored group — targeted Axios directly. State-sponsored cyberattacks of this kind represent the highest tier of threat in the security world: they are well-resourced, highly sophisticated, and deliberately designed to cause maximum impact.

Rather than attacking individual companies one by one, the attackers chose a smarter and far more damaging approach: compromise the supply chain itself. By gaining access to the account of an Axios maintainer (one of the people responsible for publishing updates), they were able to push malicious versions of Axios to npm — meaning any developer who installed or updated Axios during that window could have unknowingly received compromised software.

This type of attack is known as a software supply chain attack, and it is increasingly common. It exploits the trust that the entire industry places in shared tools and registries like npm.

This advisory outlines:

  • What happened
  • The potential impact
  • The actions we have taken at Vyro

What Happened

Attackers — widely attributed to a North Korean state-sponsored group — gained access to the npm account of an Axios maintainer and published two malicious package versions:

  • axios@1.14.1
  • axios@0.30.4

How the attack worked

  • The malicious versions did not alter Axios source code directly
  • Instead, they injected a hidden dependency: plain-crypto-js@4.2.1
  • This dependency executed a post-install script, which:
    • Downloaded a remote access trojan (RAT)
    • Connected to attacker-controlled infrastructure
    • Deployed platform-specific payloads (macOS, Windows, Linux)
    • Attempted to exfiltrate credentials and sensitive data
    • Removed traces of itself to evade detection

Exposure window

The compromised packages were available on npm for approximately 2–3 hours before removal.

Despite the short window, the scale of Axios usage means the potential blast radius was significant, with downstream impact across thousands of projects.


Potential Impact

Systems may have been at risk only if they installed or updated Axios during the exposure window.

If affected, the malicious payload could have:

  • Provided attackers with remote system access
  • Allowed credential theft (API keys, tokens, secrets)
  • Enabled persistence within development or CI/CD environments

Security guidance from multiple vendors recommends treating affected systems as potentially fully compromised and rotating all secrets.


Vyro's Assessment

We conducted an immediate and comprehensive review across our systems.

Findings

  • We use Axios extensively across our platform
  • We performed:
    • Full dependency audits
    • Lockfile verification across all services
    • CI/CD pipeline inspection
  • No affected versions (1.14.1 or 0.30.4) were identified anywhere in our codebase or build pipelines

Conclusion: We have no evidence of exposure or compromise related to this incident.


Precautionary Actions Taken

Although no impact was detected, we implemented a number of proactive security measures aligned with industry best practice.

1. Credential & Secret Rotation

We rotated all high-sensitivity credentials, including:

  • API keys
  • Cloud access credentials
  • Internal service tokens
  • CI/CD secrets

This ensures protection against any theoretical or indirect exposure.

2. Dependency & Supply Chain Hardening

  • Verified all package versions across environments
  • Locked dependencies to known-safe versions
  • Reviewed automated update processes

3. Build & Pipeline Review

  • Audited recent CI/CD runs for anomalies
  • Confirmed no execution of compromised packages
  • Reinforced monitoring for dependency changes

4. Additional Safeguards

  • Increased monitoring of package installations and build-time script execution
  • Reviewed controls around third-party dependencies and package integrity verification

Our Position on Supply Chain Security

This incident reinforces a broader industry reality:

Modern applications depend heavily on open-source ecosystems, making software supply chains a primary attack surface.

At Vyro, we treat this as a core security priority. Our approach includes:

  • Continuous dependency monitoring
  • Strict version control and review processes
  • Defence-in-depth across build and runtime environments
  • Rapid response protocols for emerging threats

Ongoing Monitoring

We continue to:

  • Monitor threat intelligence related to this incident
  • Track any downstream disclosures or indicators of compromise
  • Review and improve our internal security posture

Summary

Item Status
Affected versions in codebase None identified
Evidence of compromise None
Secrets rotated Yes
Dependencies audited & locked Yes
CI/CD pipelines reviewed Yes
Ongoing monitoring Active

A highly sophisticated, state-linked attack briefly compromised Axios via npm. The malicious versions were live for a limited window (~3 hours). Vyro has no exposure to affected versions. As a precaution, we have rotated critical secrets and strengthened controls.

We will continue to prioritise the security and integrity of our platform and respond proactively to emerging threats.

Was this article helpful?