Key moments
In a significant security breach, two malicious versions of axios, a widely used JavaScript HTTP client library, were published on npm on March 31, 2026. The versions, v1.14.1 and v0.30.4, were live for approximately 2 hours 53 minutes and 2 hours 15 minutes, respectively, before being removed shortly after discovery.
The attack was executed using compromised credentials of a lead axios maintainer, who had their account email changed to an anonymous ProtonMail address. This breach allowed the attacker to inject a malicious package, plain-crypto-js@4.2.1, as a dependency, which was designed to evade detection by appearing legitimate.
According to reports, the attack was pre-staged for roughly 18 hours before the malicious versions were published. During this time, the attacker prepared a cross-platform Remote Access Trojan (RAT) targeting macOS, Windows, and Linux environments. The RAT dropper executes a postinstall script that contacts a command-and-control server, potentially compromising user systems.
With over 100 million weekly downloads, axios is a critical component in many software projects, with approximately 80% of cloud and code environments utilizing it. The implications of this attack are severe, as it has been observed that execution of the malicious code occurred in 3% of affected environments.
The attack was detected by StepSecurity AI Package Analyst and StepSecurity Harden-Runner, highlighting the importance of security tools in identifying such threats. “This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” a security expert noted, emphasizing the attack’s complexity and potential impact.
Organizations are now being urged to audit their environments for any potential execution of these malicious versions. “There are zero lines of malicious code inside axios itself, and that’s exactly what makes this attack so dangerous,” another expert stated, underlining the challenge of securing software supply chains.
As the situation develops, further investigations are underway to assess the full extent of the compromise and to implement measures to prevent similar incidents in the future. Details remain unconfirmed regarding the total number of affected users and systems, but the urgency for heightened security measures is clear.
