RESEARCHERS have revealed a supply-chain incident affecting the Axios HTTP client, where compromised credentials of a lead maintainer enabled an attacker to publish poisoned npm packages. The malicious versions, axios@1.14.1 and axios@0.30.4, inject a new dependency called plain-crypto-js@4.2.1, which is not imported anywhere in the Axios source. Together, these packages reach up to 100 million weekly downloads, giving the attacker a wide potential impact across web apps, services, and pipelines.
The postinstall script (node setup[.]js) runs during npm install and downloads an obfuscated dropper that retrieves a platform‑specific RAT payload for macOS, Windows or Linux. If organisations installed the bad versions with scripts enabled, they may have exposed secrets such as cloud keys and API tokens, and should treat affected machines as potentially fully compromised and rotate credentials. The incident was reported on 31 March 2026.