axios npm supply chain compromise · Issue #10636 · axios/axios · GitHub

Popular npm Package Axios Compromised: Millions of Users at Risk as Malicious Versions Spread Malware

In a shocking security breach that has sent ripples through the entire software development community, the widely-used JavaScript HTTP client library axios has been compromised, exposing millions of developers and their applications to serious security risks. The incident, which occurred on March 31, 2026, involved the publication of two malicious versions of axios that contained hidden malware capable of installing remote access trojans on Windows, macOS, and Linux systems.

The breach was discovered when security researchers noticed unusual activity in the npm registry, where the malicious versions 1.14.1 and 0.30.4 were published through a compromised maintainer account. These versions contained a hidden dependency called “[email protected]” that silently installed a remote access trojan (RAT) on systems where the package was installed or updated during the critical window between 12:21 AM and 3:15 AM UTC on March 31.

The Scale of the Threat

Axios is one of the most popular npm packages, with over 100 million weekly downloads and an estimated 28 million websites using it. This makes it a critical dependency for countless applications, from small personal projects to major enterprise systems. The compromise of such a widely-used package represents one of the most significant supply chain attacks in recent memory.

The malicious versions were live for approximately three hours before being detected and removed by the npm security team. During this time, any developer who ran a fresh installation or update of axios within this timeframe could have unknowingly installed the malware on their system.

How to Check if You’re Affected

Developers are urged to immediately check their projects for the compromised versions using this command:

bash
grep -E “axios@(1.14.1|0.30.4)|plain-crypto-js” package-lock.json yarn.lock 2>/dev/null

If any results are returned, your system is likely compromised and requires immediate action. The recommended steps include:

1. Downgrade to [email protected] (or 0.30.3 for 0.x users)
2. Delete the node_modules/plain-crypto-js/ directory
3. Rotate all secrets, tokens, and credentials on affected machines
4. Check network logs for connections to suspicious domains
5. If this occurred on a CI/CD runner, rotate any secrets used during the affected build

The Attack Vector: Social Engineering and Account Compromise

According to the official incident report, the attacker gained access to the lead maintainer’s PC through a sophisticated social engineering campaign combined with RAT malware. This gave them control over the npm account credentials, which they used to publish the malicious versions.

The attack followed patterns similar to other high-profile supply chain attacks targeting open source maintainers. The timeline reveals a carefully planned operation:

• Approximately two weeks before the attack: Social engineering campaign initiated
• March 30, 5:57 AM UTC: [email protected] published as a precursor
• March 31, 12:21 AM UTC: [email protected] published with malicious payload
• March 31, 1:00 AM UTC: [email protected] published with same payload
• March 31, 1:38 AM UTC: Community members detect and report the compromise
• March 31, 3:15 AM UTC: Malicious versions removed from npm

Immediate Response and Ongoing Investigation

The npm security team acted swiftly to remove the malicious versions and the plain-crypto-js package from the registry. The axios team has implemented emergency security measures, including a complete wipe of all lead maintainer devices and resetting of all credentials across all platforms.

The incident has prompted a comprehensive review of security practices, with several key improvements being implemented:

• Immutable release setup to prevent unauthorized modifications
• Adoption of OIDC (OpenID Connect) flow for publishing
• Enhanced security posture across all maintainer accounts
• Updated GitHub Actions following security best practices

The Broader Implications for Open Source Security

This incident highlights the critical vulnerabilities in the open source software supply chain. When a widely-used package like axios is compromised, the potential impact extends far beyond the immediate users to affect countless downstream applications and services.

The attack demonstrates that open source maintainers have become prime targets for sophisticated threat actors. The combination of social engineering, account compromise, and malicious package publication represents a multi-stage attack that exploited both human and technical vulnerabilities.

Community Response and Industry Impact

The swift detection by community members and the rapid response from npm and the axios team helped limit the damage. However, the incident has raised serious questions about the security practices surrounding npm packages and the broader open source ecosystem.

Security experts are calling for more robust authentication mechanisms, better monitoring of package publishing activities, and improved incident response procedures. The incident also underscores the importance of dependency management and the need for organizations to implement comprehensive software supply chain security measures.

Moving Forward: Lessons Learned and Future Prevention

The axios team has committed to implementing enhanced security measures to prevent future incidents. These include:

• Multi-factor authentication for all maintainer accounts
• Improved monitoring and alerting for suspicious package activities
• Regular security audits and penetration testing
• Better separation of duties and access controls
• Enhanced community reporting mechanisms for suspicious activities

The incident serves as a wake-up call for the entire software development industry about the importance of supply chain security. Organizations are now reevaluating their dependency management practices and implementing more stringent security controls around third-party packages.

Conclusion: A Watershed Moment for Software Security

The axios compromise represents a watershed moment in software supply chain security. It demonstrates that even the most popular and trusted packages can be vulnerable to sophisticated attacks, and that the entire ecosystem must work together to address these emerging threats.

As the investigation continues and security improvements are implemented, the incident will likely lead to significant changes in how open source packages are maintained, published, and monitored. The software development community must now grapple with the reality that supply chain attacks are becoming increasingly sophisticated and that traditional security measures may no longer be sufficient.

For developers and organizations using axios, the immediate priority is to check for and remediate any affected installations. Beyond that, this incident should serve as a catalyst for implementing more comprehensive security practices across all aspects of software development and deployment.

Tags: #axios #npm #security #supplychainattack #malware #javascript #webdevelopment #cybersecurity #opensource #softwaresecurity

Viral Phrases: “Software supply chain under attack”, “Millions of developers at risk”, “Open source security crisis”, “npm package compromise”, “Remote access trojan hidden in popular library”, “Social engineering targets open source maintainers”, “The axios incident that shook the developer world”, “When your dependencies become your biggest threat”, “Three hours that could compromise millions of systems”, “The hidden malware in your node_modules folder”

,