Two Weeks of Fake Friendship. One Click. A Global Backdoor.
North Korea built a fake company to trick one developer. For three hours, a tool used by banks, hospitals, and governments carried a hidden spy program.
100 million weekly downloads. One person with the keys.
North Korea found that person.
Axios is a small piece of software that helps websites and apps talk to servers. Think of it as the postal service of the JavaScript world.
Nearly every web application uses it. When you check your bank balance, order food, or file a tax return online, Axios is likely moving data behind the scenes.
On March 31, 2026, North Korean operatives published two poisoned versions of Axios. For three hours, every developer who downloaded it got a hidden backdoor program that gave the attackers full control of their computer. Banks, hospitals, government systems, and software build pipelines. All exposed.
They did not find a secret flaw in the code, guess a password, or try to bypass two-factor authentication. They befriended the one person who could publish updates, built an entire fake company around him, then tricked him into installing what looked like a Microsoft Teams update during a video call.
The "update" was a spy program. Once it was on his machine, they could do anything he could do, including push a poisoned update to every Axios user on the planet.
Two-factor authentication never triggered because there was no new login. They were already inside.
Jason Saayman, the sole maintainer with npm publish rights, wrote in his post-mortem: "Everything was extremely well coordinated, looked legit, and was done in a professional manner."
He is not wrong. That is exactly what makes this attack different.