The Axios Operation
In March 2026, Google attributed the compromise of Axios — one of the most widely used npm packages in the JavaScript ecosystem — to UNC1069, a North Korean threat group. The attack method was not a zero-day exploit or a brute-force credential attack. It was social engineering.
The attacker cloned the identity of the company's founder. Created a fake Slack workspace. Arranged a fake Teams meeting. Through this manufactured trust, they obtained publish access to the npm package. Axios versions 1.14.1 and 0.30.4 were poisoned with a cross-platform backdoor targeting Windows, macOS, and Linux.
Axios is downloaded over 40 million times per week. It sits in the dependency tree of virtually every significant JavaScript application. This was not a fringe package — it was a mainline supply chain target selected by a nation-state intelligence operation.
The Escalation Pattern
The Axios compromise was not an isolated incident. It was the highest-profile example of a pattern that intensified throughout H1 2026. Supply chain attacks moved from obscure, low-download packages to mainstream infrastructure: Bitwarden CLI (password manager tooling), TanStack (state management used by major companies), Red Hat cloud service packages, SAP enterprise packages, Nx Console (2.2 million VS Code installations).
The target selection shows strategic intent. These are not opportunistic attacks on abandoned packages. They are deliberate operations against the most widely-deployed developer infrastructure in the JavaScript ecosystem.
The WebPulse Inversion
Here is an insight only WebPulse's data can surface. Countries with the highest WordPress adoption — Japan at 87%, Latin America at 86%, Southeast Asia at 85%+ — are paradoxically less exposed to npm supply chain attacks. Their web infrastructure doesn't depend on npm. It depends on the WordPress plugin ecosystem, which has its own severe problems — but not this particular class of nation-state supply chain compromise.
The markets most exposed to npm supply chain attacks are the ones WebPulse would otherwise call 'modern' — the US tech sector, UK digital agencies, Nordic companies, Australian tech firms. The markets that migrated fastest to JavaScript frameworks migrated fastest into the npm attack surface.
This does not mean WordPress is safer. WordPress has 18,005 CVEs and its own nation-state exposure through plugin vulnerabilities. But the threat models are different, and the conventional wisdom that 'modern frameworks are more secure' requires significant qualification when nation-states are operating inside the npm registry.
Beyond npm Audit
npm audit checks packages against a database of known vulnerabilities. It does not detect a package whose maintainer was socially engineered into granting publish access to a North Korean intelligence operative. It does not detect a trojanized version that was the legitimate 'latest' for days or weeks before discovery.
Organizations running JavaScript frameworks need supply chain security that goes beyond automated scanning: package provenance verification, build reproducibility checks, dependency behavior monitoring, and — critically — the assumption that any package in the dependency tree could be compromised at any time.
When your adversary is a nation-state intelligence agency with the resources to clone identities and run months-long social engineering campaigns, your dependency management process is a security boundary. Treat it like one.
