Axios: Malicious Versions of Published on npm

In a significant security breach, two malicious versions of the widely used JavaScript library axios were published on the npm platform on March 31, 2026. The versions, identified as v1.14.1 and v0.30.4, were live for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively, before being removed shortly after their discovery.

The attack was executed using the compromised credentials of a lead maintainer of axios, allowing the assailant to inject a malicious package named plain-crypto-js@4.2.1 as a dependency. This malicious package was designed to evade detection by masquerading as a legitimate component, thereby increasing its potential impact.

Prior to the publication of the malicious versions, the attack was pre-staged over an 18-hour period, indicating a high level of planning and sophistication. The malicious versions of axios were downloaded extensively, given that axios boasts over 100 million weekly downloads and is utilized in approximately 80% of cloud and code environments.

Key moments

The attack involved a cross-platform Remote Access Trojan (RAT) that targeted macOS, Windows, and Linux systems. Once installed, the RAT dropper executed a postinstall script that contacted a command-and-control server, potentially compromising the security of affected systems. Observations indicated that execution of the malicious code occurred in 3% of the environments where the malicious versions were deployed.

Security experts from StepSecurity detected the attack using their AI Package Analyst and Harden-Runner tools, which are employed in over 12,000 public repositories. The detection was facilitated by an anomalous connection that had not appeared in any prior workflow run, highlighting the effectiveness of these security measures.

In response to the incident, organizations are being strongly advised to audit their environments for any potential execution of the compromised versions of axios. Security professionals have noted that there are zero lines of malicious code within the axios library itself, emphasizing that the attack’s danger lies in the external dependencies introduced by the malicious versions.

This incident is being described as one of the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package. As the software development community continues to grapple with the implications of this breach, the focus remains on enhancing security measures to prevent similar incidents in the future.