Suspected North Korea-linked attackers hijacked the open source Axios trust chain, pushing malicious updates to downstream users in a campaign experts believe is aimed at stealing cryptocurrency and exploiting blind dependency trust.
A suspected North Korea-linked hacking group has compromised the open-source Axios package, turning a trusted dependency into the entry point for a potentially months-long crypto-focused software supply-chain attack affecting US enterprises.
Attackers reportedly gained control of an Axios maintainer’s account for at least three hours, using the window to push malicious updates to downstream users. Any organisation that downloaded the package during that period may now face enterprise-wide exposure, with the breach already being treated as a major open-source trust-chain compromise.
Because Axios is widely used across healthcare, finance, cryptocurrency, and technology sectors, the blast radius could extend across thousands of US firms. Security responders warn that automatic package consumption and insufficient dependency scrutiny significantly amplified the downstream infection risk.
According to Charles Carmakal, Chief Technology Officer (CTO), Mandiant, “We anticipate they will try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,” adding that “it will likely take months to assess the downstream impact of this campaign.”
The scope is already significant. Huntress identified nearly 135 compromised devices across at least 12 companies, though researchers say this represents only a small sample.
John Hammond, security researcher at Huntress, said the breach was “perfectly timed,” warning that AI-driven internal software workflows are accelerating unchecked package adoption, while too few teams still scrutinise the open-source components entering production environments.
The incident sharply underscores the growing fragility of AI-era blind trust in open-source dependencies.
