Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
Home/CyberSecurity News/Critical Axios npm package flaw lets attackers inject malicious code
CyberSecurity News

Critical Axios npm package flaw lets attackers inject malicious code

Key Takeaways A critical supply chain attack impacted Axios, a widely used JavaScript HTTP client. Malicious versions of Axios (1.14.1 and 0.30.4) were published to npm, injecting the...

Sarah simpson
Sarah simpson
March 31, 2026 3 Min Read
30 0

Key Takeaways

  • A critical supply chain attack impacted Axios, a widely used JavaScript HTTP client.
  • Malicious versions of Axios (1.14.1 and 0.30.4) were published to npm, injecting the [email protected] package.
  • The attack bypassed standard GitHub release processes, suggesting a direct compromise of the npm registry or developer credentials.
  • The malicious package, published on March 30, 2026, was quickly flagged by automated detection systems.
  • Immediate action is required for developers to audit dependencies and roll back to safe Axios versions like 1.14.0.

Axios Supply Chain Attack Injects Malicious Code via npm

Axios, a foundational HTTP client within the JavaScript ecosystem, has been targeted in a sophisticated supply chain attack. This compromise involved the surreptitious introduction of a malicious transitive dependency into the official npm registry, impacting a component critical to millions of applications.

Table Of Content

  • Key Takeaways
  • Axios Supply Chain Attack Injects Malicious Code via npm
  • Attack Vector and Malicious Payload
  • Compromised NPM Packages
  • Investigation and Implications
  • What You Should Do

With an estimated 83 million weekly downloads on npm, Axios serves as a cornerstone for numerous frontend frameworks, backend microservices, and enterprise-grade applications. The breadth of its integration amplifies the potential impact of this supply chain poisoning, demanding an urgent response from all downstream users.

Attack Vector and Malicious Payload

The attack manifested through the unauthorized publication of new Axios versions that automatically pulled in [email protected]. This newly introduced package has been confirmed by automated malware detection systems to contain malicious code, posing a significant threat to any project incorporating the compromised Axios versions.

Threat actors executed this attack by deviating from Axios’s established release procedures. Typically, Axios maintainers synchronize tagged releases on GitHub with their npm publications. However, the compromised npm versions notably lack corresponding tags in the project’s official GitHub repository, indicating an out-of-band deployment.

Compromised NPM Packages

At the time of the incident, v1.14.0 remained the most recent tag visible on GitHub. This discrepancy strongly suggests that the malicious updates were pushed directly to the npm registry, circumventing the standard version control and deployment pipelines. This bypass points to a highly coordinated effort to silently inject malicious code into the software supply chain.

The malicious payload dependency, [email protected], was published to the registry on March 30, 2026, at 23:59:12 UTC. Within minutes of this publication, the compromised Axios versions were pushed live. Automated malware detection by Socket promptly flagged the anomalous plain-crypto-js package at 00:05:41 UTC on March 31, underscoring the rapid execution designed to maximize infection before security tools could fully react.

To evade immediate detection during the initial infection phase, attackers made minimal changes to the core Axios codebase. The only significant modification was the addition of the malicious plain-crypto-js package to the dependency tree. This tactic of employing small, targeted changes is a common and highly effective strategy in supply chain attacks, enabling threat actors to execute arbitrary code through transitive dependencies while avoiding the scrutiny that typically accompanies more extensive codebase alterations or logic changes.

Investigation and Implications

Registry logs indicate that the malicious package is associated with the npm publisher account jasonsaayman. The appearance of this account in the compromised dependency chain raises serious questions regarding unauthorized package publishing capabilities. This situation strongly suggests a potential account takeover, compromised developer credentials, or a hijacked session token that allowed attackers to authenticate and publish the malicious artifacts directly to the npm registry.

The following table outlines the compromised packages and their malicious dependencies:

Compromised Package Version Malicious Dependency
Axios 1.14.1 [email protected]
Axios 0.30.4 [email protected]
plain-crypto-js 4.2.1 Primary Malicious Payload

Given that this is an active and rapidly evolving security incident, continuous threat hunting and monitoring are essential to determine the full scope of the compromise and prevent further exploitation.

What You Should Do

  • Immediately audit your software supply chains to identify and remove any compromised components.
  • Review project lockfiles, dependency graphs, feature branches, and open pull requests for exposure to affected versions.
  • If Axios versions 1.14.1 or 0.30.4, or [email protected] are detected, remove them entirely.
  • Roll back your Axios dependencies to a known safe release, such as Axios 1.14.0.
  • Implement enhanced monitoring for unusual activity within your dependency trees and npm registry interactions.
  • Consider implementing stricter npm access controls and multi-factor authentication for publisher accounts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Claude AI Finds Critical RCE Zero-Days in Vim and Emacs

Next Post

Notepad++ 8.9.3 Patches Critical cURL Vulnerability and Crash Issues

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us