Key moments
In a startling development for the software community, two malicious versions of the popular JavaScript HTTP client library axios were published on npm on March 31, 2026. The compromised versions, v1.14.1 and v0.30.4, were live for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively, before being removed shortly after their discovery.
The attack was executed using the compromised credentials of a lead maintainer of axios, raising serious concerns about the security of open-source software. The malicious package, plain-crypto-js@4.2.1, was injected as a dependency, designed to evade detection by appearing legitimate. The attack was pre-staged across roughly 18 hours before the malicious versions were made available to unsuspecting developers.
Axios, which boasts over 100 million weekly downloads and is used in approximately 80% of cloud and code environments, is now at the center of a significant security incident. The attack involved a cross-platform Remote Access Trojan (RAT) that targeted macOS, Windows, and Linux systems. The RAT dropper executed a postinstall script that contacted a command-and-control server, enabling the attacker to potentially gain access to affected environments.
According to reports, the attack resulted in observed execution in 3% of affected environments, highlighting the potential impact on users who inadvertently installed the malicious versions. The incident was detected by StepSecurity’s AI Package Analyst and Harden-Runner, tools designed to monitor and analyze package security.
In light of this breach, organizations are strongly advised to audit their environments for potential execution of these malicious versions. The connection to the compromised maintainer’s account was marked as anomalous, as it had never appeared in any prior workflow run, further emphasizing the sophisticated nature of this attack.
As the dust settles on this incident, the axios community and users are left grappling with the implications of such a breach. The swift removal of the malicious versions from npm was a crucial step, but the incident raises broader questions about the security measures in place for open-source projects and the need for vigilance among developers.
