By NHI Mgmt Group Editorial TeamPublished 2026-04-02Domain: Breaches & IncidentsSource: SentinelOne

TL;DR: A North Korean actor hijacked the npm credentials of the primary Axios maintainer, published two backdoored releases, and triggered 600,000 downloads in about three hours, with the first infection seen 89 seconds after publication, according to SentinelOne. Legacy token coexistence, not just modern publishing controls, created the exploit window that made the compromise effective.


At a glance

What this is: This is SentinelOne’s analysis of a March 2026 npm supply chain compromise in which stolen maintainer credentials were used to publish backdoored Axios releases carrying a cross-platform RAT.

Why it matters: It matters because identity controls for software supply chains depend on revocation, token separation, and detection speed, and this incident shows how quickly standing credential exposure can become endpoint compromise across NHI and build environments.

By the numbers:

👉 Read SentinelOne's analysis of the Axios supply chain compromise and machine-speed response


Context

The core problem is not simply package tampering. It is identity abuse in the software delivery chain, where a maintainer credential becomes the control plane for trust, publication, and downstream execution. Once an attacker controls that identity, a routine install can turn into an organisation-wide exposure event across developer workstations, CI runners, and production build systems.

This is an NHI governance problem because npm tokens, publishing workflows, and build secrets are non-human identities with real operational reach. The article shows that modern controls can coexist with legacy credentials in ways that preserve attacker access, which means lifecycle discipline, token inventory, and revocation speed are as important as provenance tooling.

The starting position here is typical of modern software supply chain environments: layered controls exist, but old authentication paths still remain active. That is the gap adversaries exploit first.


Key questions

Q: What breaks when a long-lived npm token is left active after adopting OIDC publishing?

A: The newer publishing path stops being authoritative because the fallback credential can still authenticate. That creates a hidden bypass route for anyone who steals the legacy token. The practical failure is not just weak access control, but incomplete lifecycle closure, where a retired credential remains able to publish packages and override the intended identity flow.

Q: Why do supply chain compromises of developer tools create such a large identity risk?

A: Developer tools often sit on top of the most sensitive non-human identities in the environment. They can reach cloud keys, CI secrets, SSH keys, signing material, and deployment credentials. When a package install executes malicious code, the attacker inherits that credential-rich environment and can pivot well beyond the original host.

Q: What do security teams get wrong about package provenance and trusted publishing?

A: They often assume provenance replaces older authentication paths automatically. It does not. If a legacy token, secret, or key remains valid, the attacker can use that path even when provenance controls exist. The control failure is leaving old and new trust models active at the same time.

Q: Who is accountable when a compromised maintainer credential exposes downstream environments?

A: Accountability sits with the teams that own token lifecycle, publishing policy, and secrets governance, not just with the maintainer whose identity was stolen. In practice, this spans platform engineering, security architecture, and application owners because the attack abuses organisational trust in the software delivery chain.


Technical breakdown

Why legacy npm tokens still bypass newer publishing controls

The article shows an architectural collision between OIDC Trusted Publishing and a long-lived npm access token. When both exist, token-based authentication can take priority, allowing an attacker who steals the legacy token to bypass the newer federated path entirely. This is not a failure of federation itself. It is a lifecycle failure caused by coexistence: the old credential was never removed, so the newer control became optional rather than authoritative. In identity terms, the dangerous state is not just weak authentication. It is parallel authentication paths with different trust assumptions and no hard deprecation boundary.

Practical implication: inventory every publishing path and remove fallback tokens that can supersede the intended control plane.

How postinstall hooks turn package installs into remote execution

The malicious dependency used an npm postinstall hook, which runs automatically during installation. That mechanism matters because it converts package acquisition into code execution without user interaction. The attacker did not need a second click or a separate exploit chain. The install event itself was the trigger. In supply chain terms, the package manager becomes the execution environment, and a dependency graph becomes a delivery vector. That is why software provenance alone is insufficient if scripts are allowed to execute blindly at install time.

Practical implication: restrict script execution in build pipelines and treat dependency installation as an execution step, not a passive download.

How the RAT converted endpoint access into credential harvesting

The payload was a cross-platform remote access trojan designed to execute on Windows, macOS, and Linux, then harvest credentials reachable from the compromised endpoint. The article names npm tokens, SSH keys, CI/CD secrets, cloud provider keys, and API tokens as target material. That is the core NHI pattern: once one developer or build identity is compromised, the attacker seeks adjacent non-human identities rather than stopping at the initial host. The blast radius expands because endpoints often hold the very credentials needed to move into production systems.

Practical implication: model developer endpoints as credential-rich assets and scope them into the same identity and response controls as production systems.


Threat narrative

Attacker objective: The attacker aimed to gain durable access to downstream credentials and developer environments so they could pivot from package trust abuse into broader environment compromise.

  1. Entry began with compromise of maintainer credentials and publication of backdoored npm releases that looked routine to downstream users.
  2. Escalation occurred when the malicious package used a postinstall hook to execute a cross-platform RAT and harvest credentials reachable from infected endpoints.
  3. Impact followed as the malware spread through normal installs, exposing secrets, build systems, and cloud access paths across Windows, macOS, and Linux environments.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity trust in software supply chains is now a standing NHI governance problem, not a release-management issue. The attacker did not need to break cryptography or defeat federated authentication at scale. They needed a valid maintainer identity with a legacy token that still outranked the intended publishing path. That means software release governance must be treated as identity lifecycle governance, where revocation, deprecation, and token precedence are first-class controls. Practitioners should stop treating package publishing as an isolated developer workflow and start treating it as privileged non-human identity management.

Legacy credential coexistence is the exploit condition this attack depended on. OIDC Trusted Publishing was present, but the old token remained usable, so the newer control did not actually replace the older one. This is the exact failure mode that NHI programmes miss when they focus on adding controls instead of removing obsolete ones. The implication is simple: if an old credential can still authenticate, the lifecycle was never closed.

Machine-speed compromise breaks human response assumptions. When the first infection arrives in 89 seconds, access review cadences, ticket queues, and manual containment steps are already behind. The issue is not that teams lack alerts. It is that their governance model assumes a usable response window that no longer exists. Security teams should re-evaluate which identities can trigger execution without human intervention and which response actions must be automated to match attacker speed.

Identity blast radius: a single trusted maintainer credential can expose build systems, cloud keys, signing material, and downstream deployment paths in one event. That blast radius is created by the intersection of repository trust, endpoint access, and credential reuse. The practical conclusion is that practitioners need to govern the whole trust chain, not just the token at the top of it.

Developer environments are now critical identity infrastructure. The article correctly points out that workstation and CI runner telemetry matter because these systems sit inside the credential path, not outside it. For identity governance, that means endpoint scope, token scope, and secrets scope have to be reviewed together. Teams that still classify developer assets as secondary systems are underestimating the attack surface.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • For the wider breach pattern, see 52 NHI Breaches Analysis for how credential exposure and overprivilege turn into repeatable intrusion paths.

What this signals

Legacy token coexistence is the signal to watch. This incident shows that modern federation does not neutralise older credentials if they remain usable. Security teams should expect more attacks that target the gap between migration success and retirement failure, especially where CI/CD and publishing workflows still preserve fallback access paths.

Developer workstations and build runners should now be treated as tier-one identity assets because they can expose more than a single project token. That is why the operational conversation has to move from package safety to credential scope, endpoint containment, and release-path governance together.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the blast radius from a single package compromise is structurally larger than many teams model, according to the Ultimate Guide to NHIs. The next step is to map where those secrets can be reached from developer endpoints before the next three-minute window opens.


For practitioners

  • Remove legacy publishing tokens immediately Inventory every npm, CI/CD, and repository credential that can still publish or sign releases. Revoke fallback tokens once OIDC or another intended path is in place so a stolen legacy credential cannot override the newer control.
  • Treat package installation as execution Disable or tightly limit postinstall script execution in build pipelines, especially where external dependencies are introduced. Use pinned versions, audited lockfiles, and controlled install commands in CI so dependency fetches do not become blind execution events.
  • Scope developer endpoints as credential-bearing assets Include developer workstations and CI runners in the same secrets and identity review processes used for production systems. These hosts commonly reach SSH keys, cloud provider credentials, API tokens, and signing material, which makes them high-value targets.
  • Build containment around install-time compromise Prepare a response playbook that assumes normal npm install activity can be the compromise point. That means isolating affected hosts, rotating any reachable secrets, and revalidating lockfiles and package artifacts immediately after detection.
  • Verify detection at machine speed Ensure endpoint telemetry, threat hunting, and blocklists can react before a malicious package has time to propagate. The article shows that the first infection can occur in seconds, so containment cannot depend on human ticketing cycles.

Key takeaways

  • This compromise worked because a valid maintainer identity still had a usable legacy credential, which left a hidden bypass route behind the newer publishing control.
  • The scale was operationally serious, with roughly 600,000 downloads and infection observed in 89 seconds, which is faster than manual response can reliably handle.
  • The limiting control is lifecycle closure, not just provenance, because obsolete tokens and endpoint-reachable secrets turn one package incident into a broader identity event.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Legacy tokens and excess privilege are central to this supply chain compromise.
MITRE ATT&CKTA0006 , Credential Access; TA0002 , ExecutionThe attack harvested credentials and used install-time execution to deploy malware.
NIST CSF 2.0PR.AC-4Least-privilege access and entitlement scope are central to the blast-radius problem here.
NIST SP 800-53 Rev 5IA-5Authenticator management governs the rotation and retirement of legacy tokens.
NIST Zero Trust (SP 800-207)The article shows why trust paths must be continuously verified across build and endpoint layers.

Track install-time scripts and credential theft against ATT&CK and prioritize detection on developer endpoints.


Key terms

  • Legacy publishing token: A long-lived authentication credential used to publish or manage packages in a repository. In NHI governance, the risk is not only theft but persistence, because an unrevised token can remain valid after newer controls are added and can bypass the intended identity path.
  • Postinstall hook: A package script that runs automatically during installation. In supply chain attacks, it converts dependency installation into code execution, which means the package manager becomes part of the execution boundary and not just the distribution channel.
  • Identity blast radius: The set of systems, secrets, and downstream paths an identity can reach if compromised. For non-human identities, this often expands faster than teams expect because one token can expose build systems, cloud credentials, signing keys, and adjacent automation.
  • Trusted publishing: A federated publishing model that replaces static credentials with short-lived, verified identity assertions. Its value depends on removing older credentials completely, otherwise the old path can remain a stronger or easier authentication route than the intended one.

What's in the full article

SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:

  • Step-by-step containment guidance for Axios-related artifacts across Windows, macOS, Linux, and CI runners
  • Detailed indicator lists, including DNS, IP, file paths, and package hashes used for hunting
  • Exact console queries and Storyline review steps for environment-specific triage
  • The full credential rotation checklist for npm, SSH, CI/CD, cloud, and signing material

👉 SentinelOne's full post covers the attack chain, hunting indicators, and containment steps in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org