TPRM15 April 202612 min read

When 100 Million Weekly Downloads Get Weaponised: The Axios Attack and Your NIS2 Obligations

By ArvexLab Team — Compliance Research

What Happened

On 31 March 2026 at 00:21 UTC, two malicious versions of the Axios npm package — versions 1.14.1 and 0.30.4 — were published to the npm registry. The legitimate maintainer account had been hijacked via a targeted social engineering campaign. Within less than three hours, the compromised versions were detected and removed. But in a package downloaded roughly 100 million times per week, three hours is an eternity.

The malicious versions injected a dependency called `plain-crypto-js` — an obfuscated dropper that deployed the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. The backdoor provided full remote access, credential harvesting, and lateral movement capabilities.

Google Threat Intelligence Group attributed the attack to UNC1069, a financially motivated North Korean threat cluster. Microsoft independently attributed it to Sapphire Sleet (also known as CryptoCore), an offshoot of BlueNoroff within the Lazarus Group. This is now the largest npm supply chain compromise ever recorded by download volume.

Who Was Hit

The most prominent confirmed victim is OpenAI. A GitHub Actions workflow executed the compromised Axios v1.14.1, which had access to macOS code-signing certificates for ChatGPT Desktop and Codex. The root cause: the workflow used a floating tag instead of a pinned commit hash, and had no minimum release age for dependencies.

OpenAI initiated a full rotation of its macOS certificates, treating them as potentially compromised. Users must update their macOS applications before 8 May 2026, when the old certificate will be revoked.

But OpenAI is just the visible tip. According to Google's threat brief, Axios is present in approximately 80% of cloud and code environments. Execution of the malicious version was observed in 3% of affected environments — which, at Axios's install base, represents tens of thousands of organisations worldwide.

The Attack Chain in Detail

Understanding the technical chain matters for NIS2 compliance — it determines which Article 21 controls you need to verify.

Stage	What Happened	NIS2 Relevance
1. Account takeover	Maintainer's npm account compromised via social engineering (email changed to attacker-controlled ProtonMail)	Art. 21(2)(i) — HR security, access control
2. Malicious publish	Two package versions published with `plain-crypto-js` dependency	Art. 21(2)(d) — Supply chain security
3. Automated installation	CI/CD pipelines and developer machines pulled the update automatically	Art. 21(2)(e) — Vulnerability handling
4. Backdoor deployment	WAVESHAPER.V2 RAT deployed across platforms	Art. 21(2)(b) — Incident handling
5. Credential access	Backdoor harvested secrets, tokens, certificates	Art. 21(2)(h) — Cryptography
6. Lateral movement	Attacker could pivot to production environments	Art. 21(2)(a) — Risk analysis

Why This Is Different from Trivy

Two weeks earlier, we wrote about the Trivy supply chain compromise — a container image attack that hit approximately 1,000 enterprise environments. The Axios attack is a fundamentally different beast:

Dimension	Trivy (March 2026)	Axios (March 31 2026)
Vector	Container image (Aqua Security)	npm package (JavaScript)
Weekly downloads	~2 million	~100 million
Environments affected	~1,000	80% of cloud environments
Attribution	TeamPCP (criminal group)	Lazarus Group (North Korean state)
Exposure window	~4 days	~3 hours
Notable victim	European Commission	OpenAI
Attack type	CVE exploitation	Social engineering + account takeover

The pattern is clear: supply chain attacks are accelerating in both frequency and sophistication. Group-IB's 2026 High-Tech Crime Report confirms that supply chain attacks have now overtaken traditional cyber intrusions as the #1 global cyber threat.

Your NIS2 Obligations — A Concrete Checklist

If your organisation falls under NIS2 (essential or important entity) and uses JavaScript/Node.js anywhere in your stack, here is what the Directive requires you to do. Not "should" — must.

Step 1: Determine Exposure (Immediate — Day 0)

Check if your organisation installed the compromised versions:

```bash # Check lock files for compromised versions grep -r "axios@1.14.1\|axios@0.30.4" package-lock.json yarn.lock pnpm-lock.yaml

# Check CI/CD logs for the exposure window (March 31, 00:21–03:20 UTC) # Review GitHub Actions, GitLab CI, Jenkins logs for npm install activity ```

If you find a match, this is a significant incident under NIS2 Article 23.

Step 2: Incident Reporting Timeline (Art. 23)

NIS2 mandates a strict reporting cadence for significant incidents:

Deadline	Requirement	What to include
24 hours	Early warning to CSIRT	Incident detected, suspected supply chain compromise, potential cross-border impact
72 hours	Incident notification	Initial assessment, severity, affected systems, containment measures taken
1 month	Final report	Root cause analysis, remediation actions, lessons learned, indicator sharing

Even if you determine you were not affected, document your investigation. Auditors will ask how you verified exposure during their next assessment.

Step 3: Technical Remediation (Art. 21(2)(e))

Microsoft's security blog provides detailed mitigation guidance:

Pin all dependency versions — never use floating tags or ranges in production
Implement minimum release age — do not install packages published less than 72 hours ago
Rotate all secrets exposed to CI/CD pipelines that ran during the window
Audit GitHub Actions workflows — ensure all actions use commit hashes, not tags
Deploy npm audit signatures — verify package provenance before installation

Step 4: Supply Chain Controls Review (Art. 21(2)(d))

NIS2 Article 21(2)(d) explicitly requires organisations to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

For open-source dependencies, this means:

Maintain a Software Bill of Materials (SBOM) — you cannot assess exposure if you do not know what you run
Implement automated dependency scanning in CI/CD (Snyk, Socket, npm audit)
Establish a dependency governance policy — who approves new packages, what review happens for major version updates
Monitor for supply chain advisories — subscribe to security feeds for critical dependencies

Step 5: Update Your Risk Register (Art. 21(2)(a))

If "open-source supply chain compromise" is not already in your NIS2 risk register, add it now. The risk assessment should include:

Likelihood: High (Group-IB reports supply chain attacks as #1 threat in 2026)
Impact: Critical (full environment compromise via a single dependency)
Controls: SBOM, dependency pinning, CI/CD isolation, secret rotation procedures
Residual risk: Medium (no control fully prevents zero-day supply chain attacks)

The Broader Pattern: Why This Keeps Happening

Three major supply chain attacks in six weeks (Trivy, CPUID, Axios). This is not a coincidence — it is a structural shift.

The economics favour the attacker. Compromising a single popular package gives access to thousands of downstream targets simultaneously. The Axios attack cost the Lazarus Group one social engineering campaign; it gave them potential access to 80% of cloud environments worldwide.

Open-source governance has not kept pace. Axios has over 100 million weekly downloads and is maintained by a small team. The maintainer's npm account was the single point of failure for the entire JavaScript ecosystem's HTTP client layer.

CI/CD pipelines are the new perimeter. The shift to DevOps and automated deployments means that a compromised package is installed, built, and deployed to production before any human reviews it. OpenAI's misconfigured GitHub Actions workflow — using floating tags instead of pinned hashes — is the norm, not the exception.

What NIS2 Gets Right (and What It Misses)

NIS2 Article 21(2)(d) is remarkably prescient. Written before these attacks, it mandates supply chain security including "security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." Open-source packages are service providers — unpaid ones, but service providers nonetheless.

However, NIS2 was designed for traditional vendor relationships. It does not specifically address:

Transitive dependencies — Axios itself was not malicious; the injected `plain-crypto-js` was. How deep must your supply chain assessment go?
Volunteer-maintained infrastructure — how do you apply Art. 21(2)(d) supplier assessments to an npm package maintained by two people?
Speed of exploitation — the 24-hour reporting window assumes you detect the incident first. In a supply chain attack, you may not know you are compromised for days.

These gaps will likely be addressed in ENISA's upcoming technical guidance. Until then, organisations should err on the side of over-reporting and over-documenting.

Practical Next Steps

Today: Run the exposure check above. Document the result regardless of outcome.
This week: Review your dependency management policy against Art. 21(2)(d) requirements. Pin all production dependencies.
This month: Add open-source supply chain risk to your NIS2 risk register. Implement SBOM generation in your CI/CD pipeline.
Ongoing: Monitor the OpenSSF Scorecard ratings for your critical dependencies.

Supply chain attacks are no longer theoretical. They are the #1 attack vector in 2026, attributed to nation-state actors, and they trigger concrete NIS2 obligations. The organisations that treat this as a compliance exercise — rather than just a security incident — will be the ones that survive the next audit.

---

*This is the second in our supply chain case study series. Read the first: When Your Security Scanner Turns Against You: Supply Chain Lessons from the Trivy Compromise.*

Sources and References

Ready to assess your NIS2 readiness?

Use our free self-assessment tool or speak with our compliance team.

Start NIS2 Assessment Contact Us