How We Catch the Axios DPRK RAT — Directly in Your IDE

jomynn — Fri, 22 May 2026 02:26:06 +0000

Published by SendWaveHub · NPM Safety Guard v1.12.0

The Attack

In April 2025, security researchers discovered that axios 1.14.1 — a package with hundreds of millions of downloads — had been briefly replaced on npm with a version containing a Remote Access Trojan (RAT) attributed to DPRK-linked threat actors (the Lazarus Group).

The malicious version was live for a short window. Developers who ran npm install during that window pulled down a backdoor that connected to attacker-controlled infrastructure.

This isn't an edge case. It's the same pattern used in the event-stream attack (2018), ua-parser-js (2021), and dozens of others. Supply chain attacks now account for a significant share of real-world breaches — and they bypass most traditional security tools because the package itself is the attack vector.

The Problem with Existing Tooling

npm audit only catches known CVEs — it doesn't flag malicious payloads injected into legitimate packages. By the time a CVE is filed, the damage may already be done.

OSV.dev, Snyk, and similar tools are excellent at CVE tracking, but they rely on a package being reported and catalogued. A supply chain attack that's live for 48 hours may never make it into those databases in time to protect you.

What NPM Safety Guard Does Differently

NPM Safety Guard is a free VS Code extension that runs 13 detection layers directly in your editor, before npm install even runs.

For the Axios DPRK RAT specifically, it:

Matches against a curated malicious-package database — the bundled DB includes axios@1.14.1, flagged as CRITICAL with the exact version and attack description
Pulls a live remote feed — updated independently of extension releases, so new attacks light up within hours of discovery
Checks OSV.dev in real time — CVEs filed against your installed versions are flagged inline
Audits install hooks — preinstall/postinstall/prepare scripts are flagged before they run, since they're the #1 supply-chain execution vector

Here's what it looks like when axios@1.14.1 appears in your package.json:

🔴 CRITICAL — DPRK RAT (Lazarus Group) — axios@1.14.1
This version was replaced with a Remote Access Trojan.
Safe version: 1.7.9
npm install axios@1.7.9

The warning appears inline, in the Problems panel, and in a full Security Report — all before you've run a single npm command.

The Other 12 Detection Layers

Catching known-malicious packages is the floor, not the ceiling. NPM Safety Guard also detects:

Layer	What it catches
Typosquatting	`lодash` (Cyrillic о), `expres` — packages designed to look like legitimate ones
Dependency confusion	Scoped packages (`@company/pkg`) that have been planted on public npm
Overrides/resolutions poisoning	Teams pin versions to fix a transitive CVE, accidentally pinning to a vulnerable version
Phantom dependencies	Packages your code imports but aren't in `package.json` — fail silently in clean installs
Unmaintained packages	Last release >24 months ago → accumulating unpatched CVEs
Deprecated packages	npm-deprecated packages with auto-upgrade suggestions
Install script audit	Every `preinstall`/`postinstall` hook flagged with package context
OSSF Scorecard	Security hygiene scores from the OpenSSF for each dependency
Socket.dev integration	Supply chain risk scores (requires token)
License compliance	GPL/AGPL in commercial projects
ReversingLabs	Real-time CVE + malware detection (requires free token)
Lockfile scan	Full resolved dependency tree, not just direct deps

Install It Free

The extension is free, open source (MIT), and available on:

VS Code Marketplace
Open VSX (for VSCodium users)

ext install Sendwavehubtech.npm-safety-guard

No API key required for the core features. The malware DB and OSV.dev integration work out of the box.

Why This Matters Now

The Axios attack was caught relatively quickly — but only because it targeted a high-profile package with many eyes on it. The next attack will target a smaller package, with fewer watchers, and stay live longer.

Your best defense is catching the package before it's installed — at the point where you're editing package.json in your editor.

That's exactly what NPM Safety Guard is built for.

Built by SendWaveHub. If this saves your project, consider sponsoring the work.

Tags: security npm javascript devsecops supplychain