Axios npm package poisoned
The widely used Axios npm package (100M+ weekly downloads) was hijacked to push cross‑platform malware that can target macOS, Windows and Linux — researchers say the compromise spread through the supply chain and investigators have pinned blame on state‑linked actors. This is a supply‑chain incident developers can't ignore for CI, front‑end tooling, or any project that pulls npm dependencies. (bloomberg.com) (techcrunch.com)
Attackers published two malicious Axios releases on March 31, 2026 — axios@1.14.1 and axios@0.30.4 — with the pair appearing roughly 39 minutes apart. (stepsecurity.io)) The adversary hijacked the lead maintainer’s npm account, changed the account email to a ProtonMail address, and bypassed the project’s GitHub Actions OIDC publishing workflow by manually publishing via the npm CLI with a long‑lived token. (stepsecurity.io)) Instead of editing Axios source files, the attacker added a typo‑squatted dependency named plain‑crypto‑js@4.2.1 that staged a remote‑access trojan when installed. (endorlabs.com)) Google Cloud’s threat intelligence has attributed the compromise to a North Korea‑nexus actor, while multiple security vendors described the intrusion as a state‑linked supply‑chain operation. (cloud.google.com)) npm removed the malicious releases and security teams immediately urged credential rotation and treating systems that installed the tainted packages as compromised. (snyk.io)) Security observers noted the scale of potential downstream impact by citing roughly 175,000 npm projects that list Axios as a dependency, amplifying the risk to build pipelines and production services. (csoonline.com)) Immediate indicators of compromise to search for include exact occurrences of axios@1.14.1, axios@0.30.4, or plain‑crypto‑js@4.2.1 in lockfiles and SBOMs; several vendors and incident response teams have published IOCs and remediation playbooks. (socradar.io))
