Popular NPM Package Secretly Hijacked In Major Cyber Attack

The decision came late on April 2nd, when a senior engineer at a major fintech firm, reviewing a failed deployment log, chose to dig deeper into an anomaly in a core dependency. That scrutiny triggered a cascade of alerts across the industry, confirming what security researchers had begun to fear: the widely-used Axios npm library had been compromised in a sophisticated software supply chain attack. According to a report by The Hacker News (@TheHackersNews), the intrusion has been attributed to a threat actor tracked as UNC1069, known for its precision and patience in targeting foundational open-source tools. Internal documents from several affected companies show the malicious code was injected into version 1.7.4 of the Axios HTTP client, a package with over 40 million weekly downloads, making it one of the most significant Node.js ecosystem breaches in recent memory.

Engineers close to the project say the attack was not a blunt-force takeover of the repository but a targeted social engineering operation. The maintainer’s account was compromised, likely through a stolen credential or a sophisticated phishing campaign, granting the actor direct publish access. The tainted update contained obfuscated code designed to exfiltrate environment variables—including API keys, database credentials, and internal configuration secrets—to a remote command-and-control server. The rollout of the patched version, 1.7.5, has been anything but smooth, as development teams worldwide scramble to audit their lockfiles and CI/CD pipelines. The incident exposes the continued fragility of the open-source software supply chain, where a single point of failure in a maintainer’s account can ripple out to compromise thousands of applications and services.

The immediate impact is a massive credential rotation and security audit for any organization that pulled the compromised version during its brief window of availability. For CTOs and security leads, this is a stark reminder that dependency management is a critical attack surface. The question is no longer if a widely-used package will be compromised, but when. The incident will inevitably fuel renewed investment in software bill of materials (SBOM) tools and stricter supply chain security protocols, but the human element—maintainer security—remains a daunting challenge.

What happens next involves forensic analysis to determine the full scope of data exfiltrated and whether UNC1069 had other targets in progress. The npm registry maintainers have revoked the malicious package, but the cleanup will take weeks. Uncertainty lingers for applications that automatically deployed the bad version, as the stolen secrets could be used in secondary attacks long after the patch is applied. This event will be dissected in boardrooms and at security conferences for months, serving as a case study in the escalating arms race between defenders and highly-resourced threat actors targeting the digital infrastructure’s soft underbelly.

Source: https://x.com/TheHackersNews/status/2040023177439637831