John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
For about three hours on March 31, every npm install pulling a fresh Axios got a North Korean backdoor instead of an HTTP library. The attack hit both version streams simultaneously: 1.14.1 and 0.30.4. Combined weekly downloads? North of 100 million.
The attackers fully took over a maintainer’s npm account, pushed malicious versions, and deployed a dropper called SILKBELL that detected your OS and dropped a tailored payload. Windows got a disguised PowerShell stager. macOS got a binary masquerading as an Apple system process. Linux got a Python script in /tmp.
Here’s the kicker: after deploying the backdoor, SILKBELL deleted itself and swapped in a clean package.json. Your node_modules/axios looked totally normal afterward. No traces. If you didn’t catch it during those three hours, you’d never know from looking at the files.
Google attributes this to UNC1069, a DPRK group that’s been active since 2018. The tooling maps to known North Korean operations, and the endgame is developer credentials, API keys, and tokens.
Check your lockfiles. If axios@1.14.1 or axios@0.30.4 shows up anywhere, assume compromise and rotate everything.