Axios npm Package Compromised - Malware Deployed via Update
Basically, hackers took over a popular package to spread malware.
A recent attack compromised Axios npm packages, allowing malware deployment. Users on macOS, Windows, and Linux are at risk. Immediate updates to trusted versions are crucial to ensure security.
What Happened
On March 30, 2026, a significant supply chain security attack targeted the Axios npm package, a widely used JavaScript HTTP client. This attack was initiated after the apparent takeover of a legitimate maintainer account. Unauthorized updates were published for Axios versions 1.14.1 and 0.30.4 on the npm registry, introducing a malicious dependency that executes during installation. This malicious code deploys a cross-platform remote access trojan (RAT) that communicates with a command and control (C2) server.
The malware is designed to retrieve platform-specific second-stage payloads after execution. It also attempts to erase installation artifacts and replace its own package metadata with a clean version, making it harder for forensic teams to detect the compromise. This stealthy behavior raises significant concerns for developers and organizations relying on the Axios package for their applications.
Who's Being Targeted
The attack has a broad impact, affecting systems running macOS, Windows, and Linux. Early detection by Sophos customer telemetry indicated that the malicious activity began around 00:45 UTC on March 31, with widespread effects observed shortly after. Although the malware has been deployed, there is currently no evidence of follow-on activity from the threat actors, which may suggest a controlled operation.
Organizations using Axios are particularly at risk, especially those that have not updated their packages recently. The ease of installation and integration of npm packages makes this an attractive vector for attackers, highlighting the importance of supply chain security in software development.
Signs of Infection
Organizations should be vigilant for signs of infection related to the compromised Axios packages. Indicators of compromise include unusual activity in system and application logs, especially around the installation of Axios versions 1.14.1 and 0.30.4. The malware's behavior includes establishing communication with a C2 server and executing unauthorized commands on infected systems.
Sophos has identified several threat indicators related to this attack, including specific hashes for the malicious Axios versions and the payloads deployed. Users should be cautious about any unexpected changes in their environments, particularly if they have recently installed or updated Axios packages.
How to Protect Yourself
To mitigate the risks associated with this attack, organizations should take immediate action. First, review all Axios packages in your environments to determine if compromised versions are installed. If so, update to trusted versions or apply necessary mitigations to secure your systems.
Additionally, it is crucial to monitor system and application logs for any unusual activity that may indicate a compromise. Implementing robust security measures, such as endpoint protection and regular audits of third-party packages, can help safeguard against similar supply chain attacks in the future. As the threat landscape evolves, staying informed and proactive is key to maintaining security.