← CIO Briefings · High Impact ACTION REQUIRED

North Korea Poisoned a Core Software Building Block Used by Virtually Every Organisation

North Korean state hackers took control of a publish account for axios — a software component used in an estimated 100 million weekly developer builds — and inserted surveillance software for three hours on March 31 2026. Any organisation whose automated software build systems ran during that window may have had credentials and secrets silently stolen. CISA issued a formal advisory on April 20. Organisations should audit build logs and rotate all secrets from potentially affected pipelines immediately.

4 min read
#DORA#NIS2

What Happened

On March 31 2026, North Korean hackers gained access to a publishing account for “axios” — a widely used software component that handles internet communication in applications built with JavaScript. The hackers published a poisoned version for approximately three hours before it was removed.

Any organisation whose automated software build system downloaded axios during that three-hour window received surveillance software alongside it. The malicious code immediately harvested the build system’s passwords, cloud service keys, code-signing credentials, and access tokens, then transmitted everything to the attackers before the compromise was discovered.

CISA identified North Korea’s Sapphire Sleet unit as responsible and issued a formal advisory on April 20 2026.

Business Impact

The exposure is unusually broad because automated software builds typically run around the clock across development, testing, and production pipeline systems. The axois package is a dependency — direct or indirect — in the build process for applications across virtually every industry.

Critically, the stolen information is not limited to what was exposed on March 31 — build systems routinely hold access credentials for cloud accounts (AWS, Azure, Google Cloud), code repositories, container registries, and third-party service integrations. If those credentials have not been rotated, an attacker retains access to those systems today, three weeks after the initial compromise.

Unlike a breach of a company’s own systems, this supply chain attack reached inside software delivery pipelines that many organisations consider an internal, trusted environment — one that typically has access to far more sensitive infrastructure than a standard employee laptop.

Regulatory Implications

Organisations subject to DORA (financial entities in the EU) or NIS2 (essential and important entities) should assess whether a build pipeline compromise constitutes a reportable ICT-related incident. If attackers had access to credentials that could have affected production systems — cloud accounts, code repositories, deployment pipelines — this may trigger incident notification obligations. Legal counsel should be engaged before concluding no obligation arises.

Board-Ready Summary

  • North Korea’s state hacking unit poisoned a widely used software building block for three hours on March 31, stealing access credentials from automated build systems at organisations whose pipelines ran during the exposure window.
  • Stolen credentials — if not yet rotated — may still provide attackers active access to cloud accounts, code repositories, and software deployment systems.
  • The required response is an immediate audit of build logs from March 31 and, for any confirmed exposure, rotation of all credentials held by those systems.

  1. Immediate (today): Direct the software delivery or DevOps team to audit all automated build logs for March 31 2026, specifically looking for downloads of axios versions 1.14.1 or 0.30.4 between 00:00–04:00 UTC. This is a targeted audit with a known four-hour window.

  2. Immediate (if exposure confirmed): Rotate all credentials stored in or accessible by the affected build pipeline — cloud service keys (AWS, Azure, GCP), code repository tokens, container registry credentials, code-signing certificates, and any third-party service API keys.

  3. This week: Commission a review of what cloud resources and infrastructure systems were accessible from the affected build environments. Prioritise any environments with deployment or administrative permissions to production systems.

  4. This week: Review container images and software packages built by the affected pipeline during and after the exposure window — if the build system’s credentials were stolen, subsequent builds may have been tampered with before the compromise was detected.

  5. This month: Implement package integrity verification in all build pipelines — require cryptographic lockfiles (npm ci rather than npm install) and consider mirroring critical open-source dependencies through a private registry with version pinning, so any future upstream compromise does not automatically reach your builds.