Key moments
In a shocking revelation on March 31, 2026, two malicious versions of the popular JavaScript HTTP client library, axios, were discovered on the npm platform. The versions, v1.14.1 and v0.30.4, were live for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively, before being swiftly removed. This incident has sent ripples through the software development community, raising urgent concerns about supply chain security.
The immediate circumstances surrounding the attack are alarming. The malicious versions were published using the compromised credentials of a lead maintainer of axios, allowing the attacker to inject a malicious package, plain-crypto-js@4.2.1, as a dependency. This package was designed to evade detection by masquerading as a legitimate component, thus increasing the risk of exploitation among unsuspecting developers.
According to reports, the attack was pre-staged for roughly 18 hours before the malicious versions went live. During this time, the attacker changed the maintainer’s account email to an anonymous ProtonMail address, further obscuring their identity. The malicious packages targeted a wide range of environments, including macOS, Windows, and Linux, employing a cross-platform Remote Access Trojan (RAT) that executed a postinstall script to contact a command-and-control server.
The scale of axios’s usage cannot be understated, with over 100 million weekly downloads and an estimated 80% of cloud and code environments utilizing the library. This widespread adoption means that even a small percentage of affected environments could lead to significant security breaches. In fact, execution of the malicious code was observed in 3% of the environments that downloaded the compromised versions.
Security experts from StepSecurity, who detected the attack using their AI Package Analyst and Harden-Runner tools, have described this incident as “among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.” The implications of this breach extend beyond just axios, as it highlights vulnerabilities in the broader ecosystem of software development.
In light of these events, organizations are being urged to audit their environments for potential execution of the malicious versions. The warning comes as developers grapple with the realization that there are “zero lines of malicious code inside axios itself,” which underscores the danger of supply chain attacks that exploit trusted software.
As the dust settles on this incident, the software community is left to ponder the implications of such vulnerabilities. The connection to the compromised maintainer’s account was automatically marked as anomalous, signaling the need for enhanced security measures within the npm ecosystem. The rapid response to remove the malicious versions from npm was a crucial step, but it raises questions about how such breaches can be prevented in the future.
