Axios: Malicious Versions Expose Vulnerabilities in Popular JavaScript Library
Key moments
In a significant breach of software security, two malicious versions of axios—a widely used JavaScript HTTP client library—were published on npm on March 31, 2026. The affected versions, v1.14.1 and v0.30.4, were live for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively. This incident has raised serious concerns about the integrity of software supply chains, particularly given axios’s staggering popularity, with over 100 million weekly downloads.
The malicious versions were uploaded using compromised credentials belonging to a lead maintainer of axios. This breach of trust not only highlights the vulnerabilities inherent in open-source software management but also underscores the potential risks associated with relying on widely adopted libraries. The attack was pre-staged over an 18-hour period before the malicious packages were made available, indicating a level of sophistication that is alarming.
As part of the attack, a malicious dependency named [email protected] was injected, designed to evade detection by appearing legitimate. The malicious package executed a postinstall script that contacted a command-and-control server, effectively turning affected machines into targets for a cross-platform Remote Access Trojan (RAT) that could compromise macOS, Windows, and Linux environments. The attack resulted in observed execution in 3% of the affected environments, raising the stakes for developers and organizations relying on axios.
StepSecurity, an organization specializing in cybersecurity, detected the attack using its AI Package Analyst and Harden-Runner tools. Their findings reveal that the malicious versions were swiftly removed from npm shortly after discovery, but not before they had the potential to affect a significant number of users. With 80% of cloud and code environments utilizing axios, the implications of this breach are extensive.
Experts have noted that “there are zero lines of malicious code inside axios itself, and that’s exactly what makes this attack so dangerous.” This statement emphasizes the insidious nature of supply chain attacks, where the vulnerability lies not within the software itself but in the ecosystem surrounding it. The connection made by the malicious packages was automatically flagged as anomalous, as it had never appeared in any prior workflow run, highlighting the challenges in detecting such sophisticated attacks.
In light of these events, organizations are strongly advised to audit their environments for potential execution of the compromised versions. The incident serves as a stark reminder of the importance of robust security practices in software development and deployment. The reliance on popular libraries like axios, while often justified by their utility and community support, also necessitates a vigilant approach to security.
This incident is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package. As the software development community grapples with the fallout, it is clear that the need for enhanced security measures and awareness is more pressing than ever. The attack not only compromises individual projects but also poses a broader threat to the integrity of the open-source ecosystem.
