Software Supply Chain Security After Axios

On March 31, 2026, attackers published two malicious versions of axios — a package with roughly 100 million weekly npm downloads — during a window of a little over three hours. Google Threat Intelligence Group attributed the campaign to UNC1069, a North Korea-nexus threat actor. The malicious releases introduced a dependency that used a postinstall script to deploy a cross-platform remote access trojan. During that window, any CI/CD pipeline or developer workstation that freshly resolved the affected versions and allowed lifecycle scripts to run could have been compromised. Projects with previously committed lockfiles were far less likely to be affected. A 38-page academic paper had already explained exactly how and why this would happen. The Paper That Called It Williams et al. published "Research Directions in Software Supply Chain Security" in ACM TOSEM in May 2025. Fifteen researchers from the NSF-funded S3C2 consortium synthesized findings from eight summits with 131 practitioners