North Korea Poisoned One of the Internet’s Most Popular Code Libraries. Here’s Why It Didn’t Affect Us
On March 31, 2026, a serious attack quietly unfolded across the global software supply chain. Hackers linked to North Korea’s Sapphire Sleet operation compromised the npm account of the lead maintainer of Axios — one of the most widely used JavaScript libraries on the internet, with nearly 100 million weekly downloads — and published two poisoned versions that installed malicious software on any system that ran a routine update.
Within hours, security firms were tracking infected systems across the globe. Associations and AMC partners reached out to us, understandably concerned about their exposure. Our answer was immediate and confident: we were not affected, and neither were they.
That’s not luck. It’s the result of deliberate choices we’ve made in how Empowered Margins is built.
What Actually Happened
The attack was surgical. Hackers spent months running a sophisticated social engineering campaign targeting the lead maintainer of Axios before finally gaining access to his npm publishing credentials. Once in, they moved fast.
At 00:21 UTC, two poisoned versions — axios@1.14.1 and axios@0.30.4 — were published and automatically tagged as the “latest” and “legacy” releases. That single detail mattered enormously. Any developer, server, or automated pipeline running a routine update would pull the backdoor without a single warning.
Within 89 seconds of publication, the first infected system was already phoning home to attacker-controlled servers. CI/CD pipelines — the automated systems that build and deploy software — were compromised before most organizations even started their workday. By the time security researchers publicly flagged the attack around 03:15 UTC, roughly three hours had passed. The window was enough. Remote Access Trojans had been deployed across Windows, macOS, and Linux environments worldwide.
By April 1, Google and Microsoft attributed the attack to North Korean state-sponsored actors. It was called one of the largest npm supply chain attacks in history.
Why This Couldn’t Touch Us
Axios is a JavaScript library. It lives in the Node.js ecosystem and is distributed through npm — JavaScript’s package manager. The attack worked because npm supports a feature called postinstall hooks: scripts that run automatically the moment a package is installed. No extra steps. No confirmation. Just execution. That’s the mechanism the malware used to spread.
Empowered Margins is built on PHP. For HTTP requests — how our platform communicates with APIs and third-party integrations — we use Guzzle, the standard HTTP client in the PHP ecosystem. Guzzle is installed through Composer, PHP’s entirely separate package manager. Composer doesn’t touch npm. It doesn’t use postinstall hooks. There is no shared registry, no shared toolchain, no shared attack surface.
This wasn’t a near miss. The attack had no path into our system. Asking whether our platform was vulnerable to the Axios attack is a little like asking whether your car was affected by a train derailment — different tracks entirely.
But more importantly: this wasn’t accidental. We made a deliberate choice to build on a stack that limits implicit trust and automatic execution behaviors. PHP and Guzzle don’t do things behind your back. They execute what you tell them to, when you tell them to. That philosophy — controlled execution, explicit dependencies, minimal implicit trust — is baked into how Empowered Margins is built from the ground up.
Why Your Concern Was Completely Valid
If you called us during this incident worried about your exposure, you were right to do so. The anxiety was legitimate.
Axios is what’s known as a transitive dependency — meaning thousands of organizations use it without realizing it, because some other tool they rely on quietly depends on it underneath. It shows up inside CMS platforms, member portals, event management tools, email marketing integrations, and countless SaaS products built on JavaScript backends. If your association technology stack touches Node.js or npm in any way — even indirectly — this required serious investigation.
The right response for many organizations was exactly what they did: call their vendors, audit their package dependency files, review network traffic logs, and rotate any credentials that may have passed through compromised build environments. That kind of diligence isn’t paranoia. It’s responsible governance.
For organizations running on Empowered Margins, that investigation reached its conclusion the moment you asked us. Our platform does not participate in the npm registry in any capacity. Your member data, financial records, event registrations, and integrations were never at risk from this event.
How EM Is Built to Protect You – Beyond This Incident
The Axios attack is a sharp illustration of something we think about constantly: your security posture isn’t just shaped by your own decisions. It’s shaped by every technology choice your vendors make, whether you’re aware of them or not.
Here’s how those choices show up in how Empowered Margins is built:
We choose ecosystems deliberately: PHP and Composer give us a mature, stable, and well-understood dependency environment. We’re not chasing the newest JavaScript frameworks. We’re building on a foundation where supply chain behavior is predictable and controlled.
We stay ahead of incidents like this: When the Axios story broke, we weren’t scrambling to understand our exposure. We already knew. That’s the goal — not reactive patching after an incident, but architectural decisions that make entire categories of attacks irrelevant before they happen.
We limit implicit trust: Postinstall hooks, automatic updates, and silent package execution are conveniences that come with real risk. Our stack avoids these patterns for critical components. Things run because we explicitly tell them to — not because a third-party package decided to.
We treat dependencies as a security surface: Every library we bring in is a potential entry point. We keep our dependency footprint lean, review what we introduce, and don’t assume that because something is popular, it’s safe. Axios had 100 million weekly downloads. That didn’t protect it.
The Bottom Line
This was not a close call we narrowly escaped. It was an attack that targeted a completely different ecosystem — one we intentionally avoid for critical components. That’s not a coincidence. It reflects a philosophy about how software for associations and AMCs should be built: carefully, deliberately, and with a clear understanding of where risk lives.
Your members trust you with their data. You should be able to trust that your platform vendor thought hard about protecting it — long before any attacker came looking.
Questions About Your Platform’s Security Posture?
We’re always happy to walk association executives and AMC teams through how our technology choices protect your organization — not just from this incident, but from the next one.
Talk to the EM team →