Supply Chain Attack - Axios npm Package Compromised
Basically, hackers tricked a popular software tool into spreading malware.
A major supply chain attack targeted the Axios npm package, affecting millions of applications. Malicious versions were published, risking user data and system integrity. Organizations must act quickly to mitigate the impact and secure their environments.
What Happened
On March 31, 2026, the Axios npm package, a popular JavaScript library for making HTTP/S requests, was compromised in a supply chain attack. Between approximately 00:21 and 03:30 UTC, malicious versions (axios@1.14.1 and axios@0.30.4) were published using a compromised maintainer account. These versions included a hidden dependency, plain-crypto-js@4.2.1, which contained a postinstall script functioning as a cross-platform remote access trojan (RAT).
Once installed, the script executed automatically, connecting to a command-and-control server to deploy malicious payloads on various operating systems, including macOS, Windows, and Linux. The threat actor had pre-staged the attack by creating a throwaway npm account and publishing a decoy package, plain-crypto-js@4.2.0, to lend credibility to their malicious versions. The malicious Axios versions were available for about three hours before being removed by npm.
Who's Affected
The impact of this attack is significant due to the widespread use of Axios. It's included as a dependency in millions of applications, meaning many organizations could unknowingly pull these malicious versions into their environments. This risk extends beyond those who directly installed Axios; any application relying on the compromised versions could also be affected, leading to a broader downstream risk across the JavaScript ecosystem.
Organizations that utilize npm packages in their CI/CD pipelines are especially vulnerable, as they may have automatically integrated the malicious Axios versions during the attack window. This incident highlights the critical need for vigilance in managing software dependencies.
Tactics & Techniques
The attack employed several tactics to ensure its success:
- Compromised Account: The attacker used a legitimate maintainer's account to publish malicious packages, making detection more challenging.
- Decoy Package: By publishing a benign-looking package first, the attacker established trust before releasing the malicious versions.
- Silent Execution: The postinstall script executed without user consent, allowing the RAT to operate undetected.
These tactics underscore the evolving nature of supply chain attacks, where attackers exploit trust relationships within software ecosystems.
Defensive Measures
To protect against such supply chain attacks, organizations should take immediate actions:
- Revert to Safe Versions: Users should revert Axios to known safe versions: axios@1.14.0 for 1.x users or axios@0.30.3 for 0.x users. This is crucial if any impacted versions were used during the attack.
- Clear Caches and Lockfiles: Organizations should clear any caches, lockfiles, and CI/CD artifacts that may have pulled the malicious versions. Reinstalling dependencies in a clean environment is essential for preventing lingering compromises.
- Rotate Exposed Credentials: Any credentials that may have been exposed during the compromise should be considered at risk. Rotate repository secrets, API keys, and any other credentials used in the affected environments.
Additionally, implementing proactive npm security measures can help mitigate future risks. Enforcing a quarantine period for new package versions and limiting script execution in CI/CD environments can significantly reduce the likelihood of falling victim to similar attacks.