Key moments
In a critical security incident, the npm account of an axios maintainer was compromised on March 31, 2026, leading to the release of two malicious versions of the popular JavaScript library. These versions, identified as v1.14.1 and v0.30.4, were available for approximately three hours before being removed from the npm repository.
The malicious packages included a dependency on a trojanized package named plain-crypto-js, which functioned as a dropper that downloaded and executed platform-specific payloads. These payloads operated as lightweight remote access trojans (RATs), posing a significant threat to users and organizations utilizing axios.
Axios is widely used in the development of web applications, with approximately 80% of cloud and code environments relying on it. The malicious versions of axios were downloaded around 100 million times per week, amplifying the potential impact of this breach. Initial reports indicate that around 3% of affected environments observed execution of the malicious code.
The attack was notably sophisticated, involving a pre-staged decoy package designed to appear legitimate. Security experts warn that the attacker may have gained access to critical resources, including repository access, signing keys, and API keys, which could facilitate future attacks on backend systems and users.
Organizations are strongly advised to audit their environments for potential execution of these malicious versions. The urgency of this situation is underscored by the fact that the malicious package included beacons that communicated with a command and control (C2) server every 60 seconds, further endangering affected systems.
Security analysts emphasize the importance of vigilance, noting that any post-infection inspection of the node_modules/plain-crypto-js/package.json file will show a completely clean manifest, complicating detection efforts. This breach is particularly significant given axios’s role as a transitive dependency across millions of applications.
As the situation develops, the broader software community is urged to remain alert and proactive in securing their environments against potential fallout from this incident. Details remain unconfirmed regarding the full extent of the breach and its implications for future axios releases.