ON March 31, 2026, a threat actor hijacked the npm account of Axios’s lead maintainer, jasonsaayman, and published two malicious Axios versions alongside a hidden dependency. The attack introduced a cross-platform Remote Access Trojan (RAT) that activated when npm install ran, with the malicious releases live for roughly 2 hours and 54 minutes before npm removed them.
The two malicious versions targeted both the latest and legacy tags, and a compromised dependency named plain-crypto-js contained the postinstall script used to deploy the RAT. Safe versions are listed as Axios 1.14.0 and older 1.x, and 0.30.3 and older 0.x, with plain-crypto-js 0.0.1-security.0 described as a security stub.
The article also outlines how the attack bypassed CI/CD by using a stolen long-lived npm access token and provides steps for organisations to check and remediate, including lockfile searches and detecting the hidden dependency in node_modules. It notes the potential for a large global impact given Axios’s ~80–100 million weekly downloads and calls for enabling provenance checks and SBOMs to prevent similar supply-chain incidents.