Axios NPM Hijack

In March 2026, the open-source community faced one of its most significant security crises when a lead maintainer's npm account was compromised, leading to the distribution of malicious versions of the axios library. This incident affected millions of developers and organizations worldwide.

The attack specifically targeted axios versions 1.14.1 and 0.30.4, which were published by the compromised maintainer account. These malicious versions appeared legitimate at first glance, passing initial checks and remaining undetected for a critical window of time.

At the core of the attack was a malicious dependency named plain-crypto-js, designed to mimic legitimate cryptographic libraries. It executed cross-platform code that could deploy a remote access trojan on macOS, Windows, and Linux systems.

Once installed, the malware surveyed the system, exfiltrated sensitive information to attacker-controlled servers, and then cleaned up evidence. This multi-stage behavior made detection and response significantly harder.

The incident highlighted the importance of MFA for package maintainer accounts, dependency scanning, SBOM tracking, runtime monitoring, and strong incident response processes including credential rotation and system-wide audits.

The Axios attack is a reminder that software supply-chain security is a shared responsibility between maintainers, package registries, security teams, and application developers.