On March 31, 2026, two new npm packages for updated versions of Axios, a popular HTTP client for JavaScript that simplifies making HTTP requests to a REST endpoint with over 70 million weekly downloads, were identified as malicious. These versions (1.14.1 and 0.30.4) were injected with a malicious dependency to download payloads from known actor command and control (C2). Microsoft Threat Intelligence has attributed this infrastructure and the Axios npm compromise to Sapphire Sleet, a North Korean state actor.
Follow the instructions in the article if you think you’re affected.
There are certainly Linux developers who work with the Axios library, or at least a JavaScript package indirectly depending on it, who are also unfortunate enough to run this version. How will they even know they are compromised, other than by word of mouth? Microsoft has pushed Windows Defender heuristics to detect if a machine is compromised, apply automatic remediation steps and alert the user. There is no common equivalent Linux community response that I’m aware of.
We think of ourselves so invulnerable and untouchable and yet we don’t even have the mechanisms to verify if we, are in fact, untouched. The attacks happen through trusted channels, and when they happen, it’s likely that we will never even find out they happened. How much longer until the Linux community recognizes that this mode of operation is not viable, especially when Linux becomes a bigger target with its increasing popularity?
Why do we think of ourselves as “above antimalware”?
It’s quite a similar attitude to one that many Mac users have had. It can be summed up as “security by obscurity” or “nobody uses Macs or Linux so they don’t get viruses”. Of course, especially in an age where everything is multiplatform (or at least node and python are), this is utter nonsense.
I think you are overly generalizing the Linux user base by saying “we”, especially by saying “invulnerable “ and “untouchable” because if you truly have that mindset when using any device no matter if it’s Linux, Windows, iOS, Android, etc., you’re creating a false sense of security for yourself. We are in the age of zero trust and there are some things we just can not prevent because of the human factor.
The axios compromise is something that we can’t directly plan for due to the nature of supply chain attacks. This isn’t exactly a zero-day since it was pushed upstream by a trusted user’s account, but in cases like this can an anti malware solution even help?
In my opinion, things like sandboxing your development environment or pinning your dependencies go a long way in mitigating risks like this. Supply chain attacks aren’t a new thing, but they are becoming more common. Instead of using an anti malware solution we should start adapting our workflows to mitigate the risks of such attacks.
Edit: To add, post compromise you are correct in asking what we have to resolve issues afterwards. I do not believe we currently have something like this for Linux.
The use of “we”, “invulnerable” and “untouchable” was hyperbolic. The sense remains in that a significant portion of Linux users I have spoken to have expressed that they are “safer from malware”, and I think my experience has been reflective of the Linux community as a whole.
Microsoft has implemented a response with Microsoft Defender. As far as I understand, this means that all computers running Windows will alert the user of the breach and attempt automated mitigation. And as far as I know, the desktop Linux user will not be alerted by their system. So yes, it would help the user know they’re infected.
This is does not address the root of the issue. There is no perfect workflow that will prevent all attacks. System security is not perfect and it will never be. Just as you said, there are things you can not prevent because of the human factor. So we need a way to know if security has been breached, because it’s inevitable.