Record Data Breaches in NC Spur Warning Over Malicious Axios Updates

North Carolina recorded 2,349 data breaches in 2025, the highest total ever for the state. This exposed the personal information of nearly 9.3 million North Carolinians.

On March 31, threat actors published compromised versions of the Axios JavaScript library. Axios is a popular open-source tool used for making HTTP requests in web browsers and Node.js applications, found in millions of websites and internal tools. These malicious updates could install malware on any system that downloaded them.

Organizations using Axios for web development or internal systems face immediate risk. Successful exploitation could lead to data exfiltration, system compromise, or further network penetration. The scale of the 2025 breaches underscores the existing vulnerability landscape across the state.

Under North Carolina law, any business confirming access to personal information during an incident must notify affected individuals and report the breach to the Department of Justice's Consumer Protection Division.

### What Defenders Should Do

Businesses should immediately audit their systems for Axios installations. Verify that only trusted, legitimate versions of the library are in use. Isolate any systems found with compromised updates to prevent further infection.

Review system logs for suspicious activity, including unexpected network connections or file modifications. Revoke and reissue any credentials or access tokens that may have been exposed on affected systems. Consider rebuilding systems from clean backups if a compromise is confirmed.

Maintain current security patches across all software and systems. Implement robust supply chain security practices to validate third-party code. Train employees to identify and report suspicious communications, as phishing often initiates such attacks.

The ongoing rise in cyber threats mandates continuous vigilance and proactive security measures for both organizations and individuals across North Carolina.