Key moments
In a shocking development, two malicious versions of the popular JavaScript library axios were published on npm on March 31, 2026. The versions, v1.14.1 and v0.30.4, were live for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively, before being removed shortly after discovery.
The attack was executed using compromised credentials from a lead maintainer of axios, allowing the intruder to publish the malicious packages. A dependency, plain-crypto-js@4.2.1, was injected into the malicious versions, designed to evade detection by appearing legitimate.
Axios, with over 100 million weekly downloads and used in about 80% of cloud and code environments, is a critical tool for developers. The attack was pre-staged across roughly 18 hours before the malicious versions went live, indicating a high level of sophistication.
The malicious attack involved a cross-platform Remote Access Trojan (RAT) targeting macOS, Windows, and Linux systems. The RAT dropper executes a postinstall script that connects to a command-and-control server, posing a significant risk to users who inadvertently downloaded the compromised versions.
StepSecurity’s AI Package Analyst and Harden-Runner detected the attack, which resulted in observed execution in 3% of affected environments. This alarming statistic highlights the potential impact of the breach, prompting immediate calls for organizations to audit their environments for any signs of execution.
Experts have called this incident one of the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package. “There are zero lines of malicious code inside axios itself, and that’s exactly what makes this attack so dangerous,” remarked a security analyst.
The attacker took additional measures to obscure their identity by changing the maintainer’s account email to an anonymous ProtonMail address. The connection was automatically marked as anomalous due to its absence in any prior workflow run, raising red flags among security teams.
Organizations are strongly advised to conduct thorough audits of their environments to ensure that no malicious code has executed. As the situation develops, further details remain unconfirmed.
