ACCORDING to StepSecurity, on 31 March 2026 two malicious versions of the axios HTTP client library were published to npm: axios@1.14.1 and axios@0.30.4, both deployed using the compromised credentials of a lead maintainer and bypassing the project’s normal CI/CD pipeline.
The attacker changed the maintainer’s account email to a ProtonMail address and manually published the poisoned packages via the npm CLI, with the malicious versions injecting a new dependency, plain-crypto-js@4.2.1, that is never imported in the axios source.
Its sole purpose is to run a postinstall script that acts as a cross-platform remote access trojan dropper, targeting macOS, Windows and Linux, contacting a live command and control server and delivering second-stage payloads before deleting itself and replacing its package[.]json to evade forensic detection.
If you have installed axios@1.14.1 or axios@0.30.4, you should assume your system is compromised and pin to safe versions: axios@1.14.0 or axios@0.30.3, while rotating secrets and checking network logs for the indicated indicators of compromise. The post also lists a number of indicators, including the C2 domain sfrclak[.]com and C2 IP 142.11.206[.]73, and notes affected npm accounts jasonsaayman and nrwise.