A hacker briefly delivered malware this week through a popular open-source project for software developers that has an estimated 100 million weekly downloads, raising the possibility of compromises spreading widely through a supply-chain attack. Axios is a JavaScript client library used in web requests, and the attacker hijacked the lead Axios maintainer’s npm account to publish malicious versions containing a remote access trojan.
According to Huntress, this happened on Sunday night going into Monday morning, and the poisoned versions were pulled after discovery. SOCRadar reports that on 31 March 2026 a threat actor published two malicious versions and that the malicious code installed a cross-platform RAT the moment any developer or CI/CD pipeline ran npm install; the two versions were live for approximately 2–3 hours before npm removed them.
If you ran npm install between 00:21–03:15 UTC on 31 March 2026, your machines may be fully compromised, with a fast-check suggested by researchers to search lockfiles for the compromised package identifiers.