State-backed hackers compromised a widely used open-source JavaScript library, turning routine software updates into a delivery mechanism for attacks aimed at US companies and cryptocurrency assets.
North Korea's Lazarus Group has found a new entry point. By compromising the open-source Axios package, a JavaScript library downloaded millions of times per week by developers worldwide, suspected state-sponsored actors pushed malicious code directly into the software supply chains of dozens of US firms. The attack, first reported by LiveMint citing cybersecurity researchers, has already compromised an unknown number of devices and security teams are bracing for wider fallout across multiple industries.
Supply chain attacks are not new, but this one carries a particular sting for the crypto sector. Axios is foundational infrastructure for modern web applications, handling HTTP requests in JavaScript environments from Node.js server backends to React browser frontends. It sits inside the codebase of thousands of projects, from fintech dashboards to centralized exchange platforms. When developers ran what looked like a legitimate update, they unknowingly installed a backdoor.
North Korea's motivation here is financial, not political disruption. The country's cyber operations have become one of its most reliable revenue streams, with the Lazarus Group and its affiliated clusters consistently targeting decentralized finance protocols, bridge mechanisms, and hot wallets. According to blockchain analytics firm Chainalysis, North Korean hackers stole approximately $1.7 billion in cryptocurrency throughout 2022 alone, a figure that dipped but remained substantial in 2023 and 2024. Those funds flow directly into a regime constrained by heavy international sanctions, bypassing traditional banking controls entirely.
Open-source ecosystems have a trust problem, and attackers are exploiting it with increasing precision. Axios is maintained by a small group of volunteer contributors despite its enormous footprint. That imbalance between usage and security resources makes it a prime candidate for account takeover or credential compromise. Once an attacker gains access to the maintainer's npm credentials, they can publish a version that looks identical to a legitimate release, complete with proper version numbering and release notes.
The malicious Axios versions reportedly contained obfuscated code designed to execute on installation, establishing persistence on developer machines and staging environments. From there, the attackers could pivot into internal networks, access private keys, or inject additional payloads into production builds. For cryptocurrency companies, where a single compromised private key can drain an entire treasury, the attack surface is uniquely dangerous.
This incident also fits a broader pattern. North Korean groups have repeatedly shifted tactics toward supply chain compromises over the past two years, moving beyond phishing emails and fake job recruitment schemes. As the Financial Times recently noted, state-backed groups from Pyongyang have increasingly targeted developer tooling and package registries as a way to scale their reach beyond individual targets. One compromised package can infect hundreds of downstream projects simultaneously.
What This Means for Crypto Founders and Engineering Teams
The immediate practical concern is detection. Companies that pulled Axios updates in recent weeks should audit their dependency trees and review installation logs for anomalous behavior. Lockfiles, which pin exact package versions, offer some protection but only if they were generated before the compromise window and never updated during it.
Beyond the immediate incident, this attack underscores a structural vulnerability in how cryptocurrency projects handle infrastructure trust. Many DeFi protocols and Web3 startups pride themselves on decentralization at the consensus layer while running highly centralized, conventional tech stacks behind the scenes. The smart contract code might be audited and verifiable, but the Node.js backend feeding it data or managing administrative keys often runs on unverified third-party dependencies.
Expect this pattern to accelerate. Open-source registries like npm, PyPI, and RubyGems remain high-value targets because the return on investment for attackers is extraordinary. For cryptocurrency firms specifically, the convergence of high-value digital assets and rapid, dependency-heavy development cycles creates an environment where a single compromised library can yield millions in stolen funds. Security teams that treat supply chain integrity as a secondary concern, behind smart contract audits and key management, are leaving their most exposed flank unguarded.
