TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Tradecraft Tuesday Recap: axios npm Supply Chain Compromise

2026-04-21 · Read original ↗

ATT&CK techniques detected

14 predictions
T1195.001Compromise Software Dependencies and Development Tools
99%
“##shing email that hit his npm account, which in turn led to the compromise of 18 very popular npm packages. in that case, the piece of code shipped out to the packages was targeting crypto transactions on various blockchains. - also in september 2025, a self - replicating worm c…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“with the very basics : npm ( short for node package manager ) is a software component library for the javascript ecosystem. at the most basic level, npm is the tool that lets developers “ borrow ” pre - written code for their applications. this is all well and good for developers…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“##ware to macos, windows, and linux systems through the malicious dependency that had been injected into the backdoored axios releases. in the hours that followed, security researchers – including huntress ’ own john hammond – unraveled the widespread attack in the best way they …”
T1195.001Compromise Software Dependencies and Development Tools
99%
“tradecraft tuesday recap : axios npm supply chain compromise the axios npm supply chain compromise in march came to light as many security incidents do : a post on x in the middle of a monday night. “ need someone from npmjs security team to dm me now, ” tweeted elastic ’ s tech …”
T1566.004Spearphishing Voice
94%
“##do security ’ s eriksen said, if you ’ re a threat actor using this tactic, “ you want to see the world burn. ” the trust problem at the end of the day, open source security challenges come down to trust. attackers rely on trust by using social engineering techniques to target …”
T1195.001Compromise Software Dependencies and Development Tools
86%
“other social engineering attacks. unbeknownst to saayman, the install led to the rat. figure 2 : axios maintainer jason saayman talked about the attacker ’ s social engineering tactics but even beyond initial access, the entire open source ecosystem is built on a foundation of tr…”
T1587Develop Capabilities
82%
“with the very basics : npm ( short for node package manager ) is a software component library for the javascript ecosystem. at the most basic level, npm is the tool that lets developers “ borrow ” pre - written code for their applications. this is all well and good for developers…”
T1587Develop Capabilities
80%
“tradecraft tuesday recap : axios npm supply chain compromise the axios npm supply chain compromise in march came to light as many security incidents do : a post on x in the middle of a monday night. “ need someone from npmjs security team to dm me now, ” tweeted elastic ’ s tech …”
T1204.002Malicious File
72%
“- hour timeframe, it meant that the malicious payload was executed. automatically. various researchers have pointed to links in the attack to dprk infrastructure, with google attributing the incident specifically to unc1069, a financially motivated north korean threat actor activ…”
T1195.001Compromise Software Dependencies and Development Tools
60%
“- hour timeframe, it meant that the malicious payload was executed. automatically. various researchers have pointed to links in the attack to dprk infrastructure, with google attributing the incident specifically to unc1069, a financially motivated north korean threat actor activ…”
T1587Develop Capabilities
59%
“##ware to macos, windows, and linux systems through the malicious dependency that had been injected into the backdoored axios releases. in the hours that followed, security researchers – including huntress ’ own john hammond – unraveled the widespread attack in the best way they …”
T1587Develop Capabilities
43%
“##shing email that hit his npm account, which in turn led to the compromise of 18 very popular npm packages. in that case, the piece of code shipped out to the packages was targeting crypto transactions on various blockchains. - also in september 2025, a self - replicating worm c…”
T1195Supply Chain Compromise
36%
“other social engineering attacks. unbeknownst to saayman, the install led to the rat. figure 2 : axios maintainer jason saayman talked about the attacker ’ s social engineering tactics but even beyond initial access, the entire open source ecosystem is built on a foundation of tr…”
T1598.004Spearphishing Voice
31%
“##do security ’ s eriksen said, if you ’ re a threat actor using this tactic, “ you want to see the world burn. ” the trust problem at the end of the day, open source security challenges come down to trust. attackers rely on trust by using social engineering techniques to target …”

Summary

A few weeks after the major axios npm supply chain attack, a group of researchers from Huntress, Wiz, and Aikido Security debriefed on the compromise’s lasting impacts.