Key moments
On March 31, 2026, the npm account of an axios maintainer was compromised, leading to the publication of two malicious versions of the popular JavaScript library. The versions, labeled v1.14.1 and v0.30.4, were available for download for approximately three hours before being removed from the npm registry.
The malicious packages included a dependency on a trojanized package named plain-crypto-js, which was designed to execute platform-specific payloads. These payloads functioned as lightweight remote access trojans (RATs), posing significant risks to users and organizations utilizing axios in their applications.
Axios is widely used for making HTTP/S requests in JavaScript applications, and the attack had a considerable impact, affecting approximately 80% of cloud and code environments that rely on the library. The malicious versions of axios were downloaded around 100 million times per week, raising concerns about the potential scale of the compromise.
According to reports, the malicious versions included a dropper that could download and execute additional payloads on affected systems. Initial assessments indicated that about 3% of environments observed execution of the malicious code, with beacons reaching out to a command and control (C2) server every 60 seconds.
Organizations are strongly advised to audit their environments for potential execution of these versions. The attack was particularly significant due to axios’s extensive use as a transitive dependency across millions of applications, which could lead to widespread vulnerabilities.
Experts noted that the attacker may have gained access to repository access, signing keys, API keys, or other sensitive information that could be used to backdoor future releases or compromise backend systems and users. Additionally, any post-infection inspection of the package manifest for plain-crypto-js would reveal a clean appearance, complicating detection efforts.
This incident underscores the importance of security in open-source software development and the need for vigilant monitoring of dependencies. As the situation develops, further information may emerge regarding the extent of the impact and the measures organizations should take to protect their systems.
