Skip to content
Security & Trust

Axios Targeted by North Korea: 45M Weekly Downloads in the Crosshairs

Google Threat Intelligence Group reported a North Korea-nexus threat actor compromising the Axios npm package — the HTTP client library embedded in virtually every React, Next.js, Vue, and Angular application. When the most common way web apps talk to the internet is compromised, the blast radius is the web itself.

· 5 min read
Share on X LinkedIn
Axios Targeted by North Korea: 45M Weekly Downloads in the Crosshairs

The HTTP Layer Is the Attack Surface

Axios is how the modern web talks to itself. It is the HTTP client library that React applications use to fetch data, that Next.js server components use to call APIs, that Vue dashboards use to load content, that Angular enterprise platforms use to communicate with backends. With over 45 million weekly downloads on npm, Axios sits in more dependency trees than any security team can enumerate. On March 31, 2026, Google Threat Intelligence Group (GTIG) — in analysis authored by Austin Larsen, Dima Lenz, and others — reported that a North Korea-nexus threat actor had compromised this package in a supply chain attack.

This is not a vulnerability in Axios. This is a deliberate compromise by a nation-state actor targeting the package itself. The distinction matters. A vulnerability can be patched. A supply chain compromise means the trusted distribution channel delivered malicious code to every application that ran npm install during the window of exposure.

45,000,000+
Axios weekly npm downloads
Source: npm registry (2026)
North Korea-nexus actor
GTIG attribution
Source: Google Threat Intelligence Group (March 31, 2026)

Why Axios Is a Singular Target

Most npm supply chain attacks target packages with thousands or low millions of weekly downloads — event-stream (1.5M at time of compromise), ua-parser-js (7M), coa and rc (23M combined). Axios at 45 million weekly downloads represents a different category entirely. It is not a utility. It is infrastructure. Every HTTP request that a JavaScript application makes through Axios passes through this single dependency — authentication tokens, API keys, session cookies, user data, payment information.

According to GTIG's reporting, the threat actor is DPRK-affiliated. This follows a documented pattern. North Korean state-sponsored groups have repeatedly targeted the npm and PyPI ecosystems as a vector for cryptocurrency theft and credential harvesting. The Mastra AI framework compromise (141 packages, June 2026), the event-stream backdoor (2018), the ua-parser-js hijack (2021) — each escalation targets a higher-value, more deeply embedded dependency. Axios is the logical apex of that escalation.

130,000+
npm packages depending on Axios
Source: npm dependency graph (2026)

The Blast Radius Encompasses Every Modern Framework

WebPulse tracks 22 web frameworks across security, AI readiness, and ecosystem health. Axios appears in the dependency trees of applications built on nearly all of them. React projects use Axios for API calls. Next.js applications use it in server-side data fetching. Vue and Nuxt applications use it as the default HTTP layer. Angular projects that do not use the built-in HttpClient frequently use Axios as an alternative. Even backend frameworks — Express, Fastify, NestJS — use Axios for outbound HTTP requests to third-party services.

A supply chain compromise of an HTTP client library is qualitatively different from a compromise of a build tool or a testing utility. Axios handles the most sensitive data flows in any application. Every outbound API call, every authentication handshake, every data submission passes through it. A malicious version could exfiltrate credentials without modifying any application code, simply by intercepting the HTTP requests it was already trusted to make.

5+ documented
Prior DPRK npm supply chain campaigns
Source: Microsoft, Phylum, Checkmarx, Socket.dev (2018-2026)

DPRK Supply Chain Targeting Is Accelerating

GTIG's report on Axios is part of a broader pattern that WebPulse has tracked across multiple editorial cycles. In 2018, the event-stream compromise targeted a package with 1.5 million weekly downloads. In 2021, ua-parser-js was hijacked at 7 million weekly downloads. In June 2026, Sapphire Sleet compromised 141 packages in the Mastra AI agent framework scope. Now, according to GTIG, the target is Axios at 45 million weekly downloads. The trend is clear: each successive campaign targets a more widely used, more deeply embedded dependency.

The strategic logic is straightforward. North Korean state-sponsored groups generate revenue through cryptocurrency theft. The npm ecosystem is where cryptocurrency developers build. Compromising the HTTP client that every crypto exchange frontend, every DeFi application, and every wallet interface depends on provides access to exactly the credential flows that fund state operations. This is not cybercrime. It is economic warfare conducted through the software supply chain.

What This Means for Framework Decisions

For CTOs and engineering leaders evaluating their technology stack: the Axios compromise reported by GTIG demonstrates that framework security cannot be evaluated in isolation. A framework's own codebase may be impeccable. Its vulnerability count may be zero. But if its ecosystem depends on a single HTTP client library that is actively targeted by nation-state actors, the framework's security posture is defined by that dependency, not by its own code.

WebPulse's supply chain intelligence now tracks nation-state targeting as a risk dimension alongside CVE counts, maintainer health, and dependency depth. The question is no longer whether a framework has vulnerabilities. It is whether the framework's dependency ecosystem is on a nation-state target list. After the GTIG report on Axios, every JavaScript framework's ecosystem is on that list.

Share this insight