Socket detected the Axios NPM supply chain hack in six minutes — and 2,000 orgs signed up in 24 hours
Key Points
- Socket detected the Axios NPM supply chain attack in six minutes, triggering 2,000 new organization signups in 24 hours as the breach exposed the vulnerability of a package downloaded 100 million times weekly.
- A North Korean state actor compromised Axios through social engineering, stealing credentials that enabled self-propagating attacks across Aqua Security, LiteLLM, and other major open source projects over six months.
- Modern applications depend on 500,000 or more unauthenticated open source components with unrestricted access upon installation, a structural weakness that worsens as AI agents autonomously resolve and install packages at scale.
Summary
Socket detected the Axios NPM supply chain hack in six minutes — and 2,000 orgs signed up in 24 hours
Feross Aboukhadijeh, founder of Socket, describes the Axios NPM attack as a watershed moment for software supply chain security — and a significant business inflection for his company.
The attack
A North Korean state actor socially engineered the lead maintainer of Axios, one of the most widely used JavaScript packages with 100 million weekly downloads. The operation was sophisticated: the attackers posed as a founder of a fake company, built out a fake Slack workspace, staged a Microsoft Teams call using official Microsoft SDKs to make the interface look legitimate, and cultivated the relationship over weeks. When the call cut out, the browser prompted the maintainer to install an update — which turned out to be a Remote Access Trojan giving the attackers full remote control of the device.
From there, the worm pulled crypto wallet keys, NPM credentials, and other stored tokens, using them to spread to the next set of maintainers. Socket itself was targeted, along with a number of other top NPM maintainers.
The poisoned Axios version was live for roughly three hours. During that window, any AI agent or developer pulling Axios to handle HTTP requests — a near-automatic dependency choice — would have installed the compromised package. Andrej Karpathy noted publicly that he escaped only because he hadn't updated his pinned version.
“There's a North Korean state actor that socially engineered the lead open source maintainer of the Axios package. They published poisoned versions of the package that silently install a Remote Access Trojan. We had almost 2,000 organizations sign up for an account in a twenty-four hour period — a significant percentage of our full user base. Axios is downloaded 100,000,000 times per week.”
Socket's detection
Socket monitors every open source package across 19 ecosystems — including AI models, editor extensions, and Chrome extensions — running static analysis, maintainer behavior analysis, and AI-assisted checks within minutes of a new package version appearing. The six-minute detection time reflects how long it takes to download, scan, and run the full battery of tests.
The business impact was immediate. Nearly 2,000 organizations signed up for a Socket account within 24 hours of the attack becoming public — a significant percentage of Socket's total user base, according to Aboukhadijeh.
The broader campaign
Aboukhadijeh frames the Axios incident not as a one-off but as part of an intensifying campaign. Over the past six months, the group known as Team PCP has compromised Aqua Security, the Trivy scanner, LiteLLM, and CheckMarx. The common vector is a self-propagating worm called "canister worm." The group claims to have stolen 300 gigabytes of compressed credentials — passwords, API keys, GitHub Actions tokens — and Aboukhadijeh expects a long tail of follow-on attacks over the next twelve months as those credentials are exploited.
Why now
The underlying vulnerability is structural. Modern applications routinely depend on 500,000 or more open source components, and every one of those components is an unauthenticated entry point. Unlike mobile apps, which operate under permission models requiring explicit access to the camera, microphone, or contacts, open source packages run with unrestricted access the moment they're installed. No review, no permission prompt, no sandbox.
Aboukhadijeh's view is that the attack surface has grown faster than awareness has. Companies aren't adopting fewer dependencies — they're adopting more, driven by AI agents that autonomously resolve and install packages to complete tasks. Socket positions itself as the guardrail sitting between those agents and the package registries.
Cybersecurity outlook
Security gets worse before it gets better. AI tools like Mythos — released the day of this conversation — are surfacing new vulnerabilities at scale, which drives urgency but also expands the attack surface. Aboukhadijeh argues this is net positive for the category short-term, since CISOs and boards struggle to justify security budgets without a visible crisis to point to.
Longer term, he sees AI resolving the core asymmetry in security: defenders have historically had to guard against every possible attack vector while attackers need only find one. AI agents running continuous audits at scale start to close that gap. But he's careful not to call it solved — attackers have access to the same tools, and the field remains a dynamic cat-and-mouse contest.
The 2,000 organizations in 24 hours is the number that matters here. It's a stress test that became a growth event — and a signal that supply chain security is moving from a technical footnote to a board-level line item.