security: Mitigating the Axios npm supply chain compromise
Microsoft Security Blog
2026-04-01
Microsoft reported that Axios was hit by a supply chain attack on March 31, 2026. Malicious npm releases 1.14.1 and 0.30.4 were used to fetch content from a C2 server linked to the North Korean actor Sapphire Sleet; the compromised versions have since been removed.