It’s been nearly a week since North Korea’s suspected hackers got out of a temporary reprieve axiosis one of the most popular JavaScript HTTP client libraries in the world. Now more details are emerging about how the hack was achieved and why it was needed Windows, macOSand Linux users.
The original hack occurred when bad actors were able to compromise the main account of axios administrator Jason Saayman. This allowed two malicious axios versions to be published on npm (a massive registry of tools available for download) March 30, 2026.
Article continues below
This was not opportunistic. It was accurate.
Ashish Kurmi (StepSecurity)
Despite moving relatively quickly to remove unsafe downloads, axios typically sees more than 100 million downloads each week. This makes it difficult to determine exactly how many users have downloaded the remote access trojan (RAT).
Saayman explains all the compromises of the axios supply chain Posthumous blog post published on GitHubincluding some steps you can take to ensure your machine (whether it’s Windows, macOS, or Linux) isn’t compromised. If you deal with Axios, I strongly recommend checking them out, as the RAT can steal sensitive credentials from your system.
How do Microsoft Teams and Slack fit into the timeline of the axios hack?
TechCrunchSpeaking to Google, he shed light on the North Korea angle. Associated with the attack UNC1069a “financially motivated threat actor” who has engaged in such tricks “since at least 2018.”
North Korean hackers have a deep expertise in supply chain attacks, which they have historically used to steal cryptocurrency. The full scope of this event is still uncertain, but given the popularity of the discounted package, we expect it to have far-reaching implications.
John Hultquist, Principal Analyst, Google Threat Intelligence Group (via TechCrunch)
This is where the story comes true. According to Saayman, the timeline of the attack began about two weeks before March 31, when “a social engineering campaign (launched) against the lead controller”.
Saayman gives more details comments section of the posthumous post. He explains that after cloning the likeness of the founder and the company itself, the bad actors “disguise themselves as the founder of the company.”
Saayman was then invited to the Slack workspace with all the correct company branding, mock LinkedIn post sharing and fake team profiles. After making an appointment with Saayman Microsoft Teamsfake “missing update” required minor installation.
This, of course, was where the RAT was downloaded onto the technician’s computer. The teams did not compromise; it was simply forged and used as a vehicle to deliver Troy.
As Saayman noted, “Everything was extremely well coordinated, looked legitimate, and was professionally done.” It’s a tough job, and you have to feel bad for anyone who’s been duped by such an elaborate trick.
Axios is now investigating the breach and ways to prevent it from happening again in the future.
Join us Reddit at r/WindowsCentral to share your thoughts and discuss our latest news, reviews and more.
