Authored by Rajnish Gupta, Managing Director and Country Manager, Tenable India
On 31 March 2026 cyber adversaries hijacked the npm account of Axios’s lead maintainer and published two poisoned versions of the package. Developers download Axios over 100 million times every week, and it powers HTTP communication across countless applications in virtually every industry.
The attackers slipped a hidden, malicious dependency called plain-crypto-js into those two new versions, turning one of the most trusted tools in software development into a delivery vehicle for a remote access trojan (RAT). Any organisation whose developers ran a routine package install during that window pulled malware directly into their environment.
The attack worked because trust went unverified
As most attackers do, this one chose the path of least resistance—stealing a single developer’s login token, using it to publish malicious versions, and letting the open-source ecosystem do the rest. That’s because Axios is a fundamental building block used in millions of websites, startup applications, financial services, and healthcare platforms to fetch data from servers. Naturally, millions of developers downloaded these versions as part of routine workflows and the malicious code executed automatically, enabling the attacker to steal credentials, API keys, and access tokens from each infected host.
Security researchers at both Microsoft and Google have attributed the Axios compromise to a North Korean state-sponsored threat group UNC1069. This matters because attackers targeted the entire software supply chain to harvest sensitive developer secrets at scale. This is the rise of the developer credential economy—a black market where stolen API keys and access tokens sell as commodities. Attackers typically abuse those stolen secrets within hours of the theft, effectively shrinking the response window.
The attack taught the world that prevention, not reacting is essential
The Axios hack exposes the structural flaw in the industry’s overreliance on detect and respond solutions. By the time an issue is detected, the credential theft has already happened. The detect and respond model assumes there is a meaningful gap between compromise and damage, when in supply chain attacks, there isn’t.
Reactive tools monitor what runs on a machine but it doesn’t preemptively monitor the entire supply chain, the CI/CD pipeline, or the package registry that delivered the malicious code in the first place. It can’t see the stolen developer token that made the attack possible for it to even flag it preventively. Neither does it have visibility into short-lived cloud build environments where credentials get lifted and vanish before the risk is surfaced. Relying on reactive solutions as the primary line of defense is like stopping a fire with a bottle of water after the accelerant has spread across the entire building.
Preventive security solutions, on the other hand, catch anomalous outbound connections at the pipeline level and not after an attack has already taken place, making it ideal for defending against threat actors, who continuously exploit the trust in open source ecosystems to get around traditional, perimeter-based security controls.
Exposure management closes the gap
Actors are successfully exploiting exposures, such as long-lived tokens, overprivileged CI/CD runners, and unpinned dependencies, to force organizations into a reactive posture. To escape this pattern, defenders must shift from merely reacting to threats to adopting continuous threat exposure management or CTEM.
Rather than waiting for attackers to trigger an alarm, CTEM focuses on finding and fixing conditions that let attacks succeed in the first place. CTEM ensures organisations have answers to three important questions when a new threat surfaces: Are we exposed? Where are we exposed? How fast can we close the gap?
Continuous threat exposure management offers the speed and complete visibility to answer these questions. It scans on-prem and cloud environments for compromised package versions, maps which systems and teams depend on those assets and routes remediation work to the right owners immediately.
For the Axios incident specifically, teams needed to downgrade to safe package versions, remove the malicious dependency, rotate all secrets and credentials on affected machines, block outbound traffic to the attacker’s command and control server and treat any self-hosted CI/CD runner that touched the malicious package as fully compromised.
Agentic AI-powered exposure management now compresses this workflow from days to minutes. They can query the entire environment for affected assets, tag them by business unit and severity to scope out the blast radius, and automate post-remediation scans to confirm whether the threat is neutralised.
Instead of security teams writing manual scripts under pressure, AI-powered CTEM queries the data already collected from existing scans, agents, and integrations. In the context of the Axios attack, it produces a clear picture of which assets are running the compromised Axios versions, where they sit in the network, and how critical they are to the business.
CTEM gives organisations agentic and operational muscle memory. Rather than spending hours manually configuring reports, Tenable Hexa AI can generate immediate visualizations of your posture by simply asking Tenable Hexa AI to “Build a dashboard showing all current risks in my environment.” This means it can be deployed in the exact same conversational workflow used to hunt for malicious versions of Axios the moment the next Log4j, XZ Utils, or MoveIt-style vulnerability hits the news.
It also performs remediation scans at tagged assets, post-patch verification, and compares before/after results to confirm the threat is neutralized. It even automates the creation of risk dashboards and report on security KPIs, maps vulnerabilities to asset owners via Okta, CMDB, or custom mappings, and automatically notifies the right teams. Teams can use it to trigger patching workflows and network isolation for compromised assets. Essentially, it transforms exposure intelligence into coordinated action to reduce cyber risk.
Supply chain attacks on upstream software repositories grew by 156% YoY in 2024-25. The Axios incident follows a line of predecessors like Log4j, XZ Utils and MoveIt. Each attack exploited trust and each one spread through open-source software because it is trustworthy, productive and powerful.
Organisations that weave exposure management into their security programme win because they treat every new attack as a repeatable drill rather than a fire drill. They know their attack surface and dependencies, so they can close gaps before attackers weaponise them. Every organisations that still waits for an alarm before acting carries the risk of the next Axios already being inside their walls. The time to act is now.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram