For a few hours this week, one of the internet’s most common building blocks turned into a malware delivery system. Attackers slipped a malicious dependency into Axios, a JavaScript library downloaded tens of millions of times a week, and anyone pulling the wrong version could have installed a remote access trojan without realizing it.
It sounds like a niche developer story, until you remember how much of the modern climate economy runs on code. From solar installers scheduling crews to utilities balancing the grid during intense summer heat, the same software supply chain sits underneath it all.
A three-hour window with a long tail
Google’s Threat Intelligence Group says the poisoned axios releases were available for roughly three hours before being removed. That is plenty of time for automated build systems to pull updates while everyone is asleep.
The affected versions were 1.14.1 and 0.30.4, and both pulled in a malicious package named plain-crypto-js. Microsoft warns that install-time code execution and auto-updates can push the compromise beyond a single laptop and into CI systems.
What was actually compromised
This was not a flaw in axios’s normal features. Researchers say the attackers inserted a dependency that runs during installation through a postinstall script, so an app can behave normally while secrets leak in the background.
Google describes the payload as a dropper that deploys the WAVESHAPER.V2 backdoor, while Microsoft links the infrastructure to a North Korea state actor it tracks as Sapphire Sleet. Different labels, same direction of travel, because both investigations point to a North Korea nexus hunting credentials and persistent access.
Crypto theft is the business model
North Korea’s digital theft has a military and defense shadow. The FBI said North Korea was responsible for a roughly $1.5 billion virtual asset theft from the crypto exchange Bybit in February 2025, and U.S. officials have long warned these proceeds help sustain weapons programs.
Chainalysis estimates North Korea-linked hackers stole about $2.02 billion in cryptocurrency in 2025, a jump that suggests fewer attacks can still mean larger payouts. If that money trail is the motive, supply chain attacks on widely used developer tools are an efficient way to scale.
The environmental connection is closer than it looks
Clean tech and conservation projects use the same cloud stacks, web dashboards, and open-source dependencies as everyone else. Energy companies are already under sustained cyber pressure, with Sophos reporting 67% of energy, oil, gas, and utilities organizations were hit by ransomware in 2024 and average recovery costs around $3.12 million.
Then there is the crypto angle. Bitcoin’s electricity use is large enough that Cambridge runs a dedicated electricity consumption index, and the steady churn of theft and laundering keeps criminal attention locked on a sector with real energy and climate tradeoffs.
What businesses should do next
Start with a simple check. Google and Microsoft both urge organizations to identify whether Axios 1.14.1 or 0.30.4 was installed anywhere, downgrade to known safe versions, and rotate secrets immediately if exposure is possible.
After the urgent cleanup, treat software ingredients like supply chain essentials, not trivia. NIST describes an SBOM as a formal record of software components and their relationships, and that kind of visibility matters even more as open source consumption hits machine scale.
The bigger lesson for open source and AI coding
Sonatype says open source downloads across major registries reached 9.8 trillion in 2025 and it tracks more than 1.2 million malicious packages. That is the backdrop for why “just review the code” no longer works for the most part.
AI-assisted development adds another twist. Sonatype cites IDC research indicating developers accept an average of 39% of AI-generated code without revision, which can turn bad dependency choices into fast-moving defaults.
At the end of the day, the Axios incident is a reminder that the energy transition inherits the internet’s trust problems. If the tools that move data can be quietly subverted, the impact will not stay on a developer screen, it can show up when systems fail and the electric bill spikes.
The official statement was published on Microsoft Security Blog.
