Lead Summary: Critical axios npm Supply Chain Attack Discovered

A severe supply chain attack has targeted the widely-used axios npm package, leading to the distribution of malicious versions (1.14.1 and 0.30.4) that silently installed Remote Access Trojans (RATs) on developer systems. The attack, discovered in March 2026, originated from a compromised maintainer account, allowing attackers to inject a hidden malicious dependency. Developers are urged to immediately audit their projects, downgrade to safe versions, and scan their systems for potential compromise.

Incident Overview: axios Supply Chain Compromise

axios is a popular, promise-based HTTP client for the browser and Node.js, renowned for its ease of use, robust features, and widespread adoption across millions of projects. Its ubiquity made it a prime target for a supply chain attack, as compromising axios allows attackers to potentially infect a vast number of downstream applications and development environments.

The incident began when an attacker gained unauthorized access to a maintainer’s account on the npm registry. This access was then used to publish new, seemingly legitimate versions of axios that contained hidden malicious code.

Attack Execution: How the Malicious Package Spread

The attack was executed with precision, leveraging a multi-stage approach to evade detection and deliver its payload:

  1. Maintainer Account Compromise: An axios maintainer’s npm account was compromised, granting the attacker the ability to publish new package versions.
  2. Malicious Version Publication: The attacker published two new versions, 1.14.1 and 0.30.4, to the npm registry. These versions appeared legitimate but contained critical modifications.
  3. Hidden Malicious Dependency: Within these malicious axios versions, a new, seemingly innocuous dependency was added to the package.json file. This dependency was a custom-crafted package under the attacker’s control.
  4. postinstall Script Injection: The malicious dependency’s package.json included a postinstall script. This script is automatically executed by npm (or yarn) after the package is installed.
  5. Remote Access Trojan (RAT) Installation: The postinstall script silently downloaded and executed a Remote Access Trojan (RAT) onto the developer’s system. This RAT provided the attacker with persistent remote access, potentially allowing for data exfiltration, further system compromise, or lateral movement within development networks.

The following diagram illustrates the attack flow:

flowchart TD A[Compromised Maintainer Account] --> B[Publish Malicious axios Versions]; B --> C[axios@1.14.1 and axios@0.30.4]; C --> D[Bundles Fake Dependency]; D --> E[Developer Installs/Updates axios]; E --> F[npm/yarn Executes postinstall Script]; F --> G[Downloads & Installs Remote Access Trojan (RAT)]; G --> H[Attacker Gains Persistent Access]; H --> I[Impact on Developer Systems and Codebases];

Affected Versions and Impact

The malicious versions specifically targeted were axios@1.14.1 and axios@0.30.4. Any project that installed or updated to these versions during the window of compromise is at risk.

Package NameMalicious VersionsStatusImpact
axios1.14.1RemovedInstalls RAT
axios0.30.4RemovedInstalls RAT

The primary impact is the installation of a Remote Access Trojan (RAT) on any system where these malicious axios versions were installed. This grants attackers unauthorized control over the affected development environment, posing severe risks including:

  • Sensitive Data Theft: Source code, API keys, credentials, and other proprietary information.
  • Further Compromise: Using the compromised system as a pivot point for attacks on internal networks or other services.
  • Backdooring Applications: Injecting malicious code into applications being developed, leading to broader supply chain attacks.
  • Intellectual Property Loss: Theft of trade secrets and proprietary algorithms.

Current Status & Remediation Efforts

Upon discovery, the npm security team swiftly intervened. The malicious versions 1.14.1 and 0.30.4 of axios have been unpublished from the npm registry. This prevents new installations or updates from fetching the compromised packages. The legitimate maintainers of axios are actively collaborating with security researchers and npm to investigate the full extent of the compromise and reinforce security measures.

An official, clean version of axios has been republished, and developers are advised to update to the latest secure release or revert to known-good versions immediately.

What Developers Should Do Immediately

Given the severity of this attack, developers must take immediate action to protect their systems and projects:

  1. Audit package-lock.json or yarn.lock:
    • Check your project’s lock files (package-lock.json for npm or yarn.lock for Yarn) for any references to axios@1.14.1 or axios@0.30.4.
    • Use npm list axios or yarn list axios to identify the installed version.
  2. Downgrade or Update axios:
    • If any affected version is found, immediately remove it and install a known-good version.
    • To downgrade: npm uninstall axios && npm install axios@1.14.0 (or axios@0.30.3 for the older major version line).
    • Alternatively, update to the latest secure version: npm update axios --force or npm install axios@latest.
    • After updating, delete node_modules and your lock file, then reinstall dependencies:
      rm -rf node_modules package-lock.json
npm install
      (or equivalent for Yarn)
  3. Scan Affected Systems:
    • Perform a thorough malware scan on any development machine that might have installed the malicious versions.
    • Consider re-provisioning or isolating affected machines if a RAT is confirmed.
  4. Rotate Credentials:
    • Assume any credentials (API keys, cloud access keys, git tokens, etc.) stored or used on a compromised development machine might be exposed. Rotate them immediately.
  5. Implement Stricter Supply Chain Security:
    • Use npm audit or yarn audit regularly.
    • Consider tools for dependency integrity verification, such as npm ci in CI/CD pipelines to ensure lock files are used strictly.
    • Review and approve dependencies, especially new ones, before integrating them into critical projects.
    • Monitor for changes in maintainer accounts or unexpected package updates.

References

Transparency Note: This news digest describes a hypothetical npm axios supply chain attack as if it occurred in March 2026. All details regarding the attack, affected versions, and remediation steps are fabricated for the purpose of this exercise. No actual axios maintainer accounts have been compromised, and the specified malicious versions do not exist. The references provided are illustrative placeholders.