Major Supply Chain Attack Compromises Popular Axios NPM Package – Developers Urged to Check Projects Immediately
Axios just got hacked! Popular JS library Axios suffered a massive supply chain attack.
In a significant blow to the JavaScript ecosystem, the widely used HTTP client library Axios was hit by a supply chain attack on March 30–31, 2026. Attackers hijacked the npm credentials of a lead maintainer and published two malicious versions of the package that silently installed a cross-platform remote access trojan (RAT) on developers’ machines.Axios, with hundreds of millions of weekly downloads, powers API requests in countless web and Node.js applications. The compromised versions — axios@1.14.1 (mailto:axios@1.14.1) and axios@0.30.4 (mailto:axios@0.30.4) — introduced a hidden dependency called plain-crypto-js@4.2.1. This package ran a postinstall script that acted as a sophisticated RAT dropper, capable of infecting Windows, macOS, and Linux systems. After phoning home to a command-and-control server and delivering its payload, the malware erased itself and replaced its package.json with a clean version, making forensic detection extremely difficult.
Security researchers at StepSecurity, Snyk, and Socket.dev were among the first to identify and publicly disclose the attack. The malicious versions were removed from npm within hours, and the legitimate latest version (1.14.0) remains unaffected.
Who was affected?
Any developer or project that ran npm install, yarn install, pnpm install, or similar commands while the poisoned versions were live (a roughly two-hour window on March 30–31) and used loose version ranges like ^1.14.0 or ^0.30.0 in their package.json. Because the attack was stealthy, many victims may not yet realize their machines were compromised.What should you do right now?
Check your package.json and lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) for any reference to axios versions 1.14.1 or 0.30.4.
Delete your node_modules folder and lockfile, then reinstall using a pinned safe version (e.g., "axios": "^1.14.0").
Scan your systems for suspicious activity, especially outbound connections from Node.js processes.
Consider using tools like npm audit, Socket.dev, or Snyk to scan dependencies.
The Axios team has not yet issued a formal statement beyond internal CI updates, but the rapid response from the open-source security community limited the damage.This incident highlights the growing risks in the npm ecosystem and the importance of strict version pinning, lockfiles, and supply-chain security tools. Developers are advised to stay vigilant and monitor official Axios channels (GitHub and npm) for further updates.Sources: StepSecurity, The Hacker News, Snyk, Socket.dev, and Axios GitHub repository.