A security breach involving malicious versions of axios has been reported, raising alarms in the software community. The incident highlights vulnerabilities in package management systems.
Key moments
In a significant security incident reported on March 31, 2026, two malicious versions of the popular JavaScript library axios were published on the npm platform. The affected versions, v1.14.1 and v0.30.4, were available for download for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively, before being removed. This breach has raised serious concerns among developers and organizations that rely on axios, which boasts over 100 million weekly downloads.
The malicious versions were uploaded using compromised credentials belonging to a lead maintainer of axios. This breach was pre-staged over an 18-hour period, indicating a well-planned attack. The malicious package, [email protected], was injected as a dependency, designed to evade detection by appearing legitimate. The attack involved a cross-platform Remote Access Trojan (RAT) that targeted macOS, Windows, and Linux systems.
Once installed, the RAT dropper executed a postinstall script that connected to a command-and-control server, allowing attackers to potentially gain unauthorized access to affected systems. The attack was detected by StepSecurity’s AI Package Analyst and Harden-Runner tools, which are used to monitor and secure public repositories. Approximately 3% of environments where the malicious versions were executed were affected, raising alarms about the potential impact of this breach.
Organizations are now being urged to audit their environments for any signs of execution of these malicious versions. The incident underscores the importance of security in software supply chains, especially for widely used packages like axios. “This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” noted a security expert involved in the investigation.
Despite the severity of the breach, it is crucial to emphasize that there are zero lines of malicious code within axios itself. This fact makes the attack particularly dangerous, as it exploits trust in the library rather than compromising its core code. The connection to the command-and-control server was automatically flagged as anomalous, as it had never appeared in any prior workflow run, highlighting the need for robust monitoring systems.
In the aftermath of this incident, the axios community is taking steps to enhance security measures and prevent future breaches. The malicious versions were swiftly removed from npm, but the incident serves as a stark reminder of the vulnerabilities present in package management systems. With around 80% of cloud and code environments utilizing axios, the implications of such attacks can be widespread.
As developers and organizations assess the fallout from this breach, the focus will likely shift to improving security protocols and ensuring that similar incidents do not occur in the future. The incident not only affects the immediate users of axios but also raises broader questions about the security of open-source software and the measures needed to protect it from sophisticated attacks. Details remain unconfirmed as investigations continue into the full extent of the breach and its implications for the software community.
