Critical Axios npm package flaw lets attackers inject malicious code
Key Takeaways A critical supply chain attack impacted Axios, a widely used JavaScript HTTP client. Malicious versions of Axios (1.14.1 and 0.30.4) were published to npm, injecting the...
Key Takeaways
- A critical supply chain attack impacted Axios, a widely used JavaScript HTTP client.
- Malicious versions of Axios (1.14.1 and 0.30.4) were published to npm, injecting the
[email protected]package. - The attack bypassed standard GitHub release processes, suggesting a direct compromise of the npm registry or developer credentials.
- The malicious package, published on March 30, 2026, was quickly flagged by automated detection systems.
- Immediate action is required for developers to audit dependencies and roll back to safe Axios versions like 1.14.0.
Axios Supply Chain Attack Injects Malicious Code via npm
Axios, a foundational HTTP client within the JavaScript ecosystem, has been targeted in a sophisticated supply chain attack. This compromise involved the surreptitious introduction of a malicious transitive dependency into the official npm registry, impacting a component critical to millions of applications.
Table Of Content
With an estimated 83 million weekly downloads on npm, Axios serves as a cornerstone for numerous frontend frameworks, backend microservices, and enterprise-grade applications. The breadth of its integration amplifies the potential impact of this supply chain poisoning, demanding an urgent response from all downstream users.
Attack Vector and Malicious Payload
The attack manifested through the unauthorized publication of new Axios versions that automatically pulled in [email protected]. This newly introduced package has been confirmed by automated malware detection systems to contain malicious code, posing a significant threat to any project incorporating the compromised Axios versions.
Threat actors executed this attack by deviating from Axios’s established release procedures. Typically, Axios maintainers synchronize tagged releases on GitHub with their npm publications. However, the compromised npm versions notably lack corresponding tags in the project’s official GitHub repository, indicating an out-of-band deployment.
Compromised NPM Packages
At the time of the incident, v1.14.0 remained the most recent tag visible on GitHub. This discrepancy strongly suggests that the malicious updates were pushed directly to the npm registry, circumventing the standard version control and deployment pipelines. This bypass points to a highly coordinated effort to silently inject malicious code into the software supply chain.
The malicious payload dependency, [email protected], was published to the registry on March 30, 2026, at 23:59:12 UTC. Within minutes of this publication, the compromised Axios versions were pushed live. Automated malware detection by Socket promptly flagged the anomalous plain-crypto-js package at 00:05:41 UTC on March 31, underscoring the rapid execution designed to maximize infection before security tools could fully react.
To evade immediate detection during the initial infection phase, attackers made minimal changes to the core Axios codebase. The only significant modification was the addition of the malicious plain-crypto-js package to the dependency tree. This tactic of employing small, targeted changes is a common and highly effective strategy in supply chain attacks, enabling threat actors to execute arbitrary code through transitive dependencies while avoiding the scrutiny that typically accompanies more extensive codebase alterations or logic changes.
Investigation and Implications
Registry logs indicate that the malicious package is associated with the npm publisher account jasonsaayman. The appearance of this account in the compromised dependency chain raises serious questions regarding unauthorized package publishing capabilities. This situation strongly suggests a potential account takeover, compromised developer credentials, or a hijacked session token that allowed attackers to authenticate and publish the malicious artifacts directly to the npm registry.
The following table outlines the compromised packages and their malicious dependencies:
| Compromised Package | Version | Malicious Dependency |
|---|---|---|
| Axios | 1.14.1 | [email protected] |
| Axios | 0.30.4 | [email protected] |
| plain-crypto-js | 4.2.1 | Primary Malicious Payload |
Given that this is an active and rapidly evolving security incident, continuous threat hunting and monitoring are essential to determine the full scope of the compromise and prevent further exploitation.
What You Should Do
- Immediately audit your software supply chains to identify and remove any compromised components.
- Review project lockfiles, dependency graphs, feature branches, and open pull requests for exposure to affected versions.
- If Axios versions 1.14.1 or 0.30.4, or
[email protected]are detected, remove them entirely. - Roll back your Axios dependencies to a known safe release, such as Axios
1.14.0. - Implement enhanced monitoring for unusual activity within your dependency trees and npm registry interactions.
- Consider implementing stricter npm access controls and multi-factor authentication for publisher accounts.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.