A hacker seized control of the official npm account for Axios and pushed malicious versions of the popular JavaScript library. The attack put millions of weekly downloads at risk of installing a stealthy remote access trojan.
The incident unfolded late Monday night on March 31, 2026. Security teams spotted the compromise quickly, but not before the tainted packages reached developers running fresh installs.
Axios serves as a go-to HTTP client for JavaScript projects. Millions of apps rely on it to fetch data from the internet, handle API calls, and power everything from simple web tools to complex enterprise systems. Its tiny 2.4MB size and ease of use made it a favorite across the developer community.
How the Attacker Took Over the Account
The hacker gained access to the npm account of Axios lead maintainer jasonsaayman. They changed the registered email to a Proton Mail address they controlled. Using a long-lived access token, the attacker bypassed normal GitHub CI/CD checks and published two poisoned versions directly to the npm registry.
The malicious releases were axios version 1.14.1 and version 0.30.4. These appeared shortly after midnight UTC on March 31. The attacker had prepared the ground by publishing a fake dependency called plain-crypto-js version 4.2.1 about 18 hours earlier.
The window stayed open for roughly three hours before npm pulled the bad versions. During that time, automated systems and developers running npm install or npm update could have pulled the malware.
Security researchers noted the attacker showed real skill. They hit both the main release branch and an older branch within minutes. No changes were made to the actual Axios code itself. Instead, the poison came through a hidden dependency that only activated during installation.
What the Malicious Code Actually Does
When a developer installed the bad Axios versions, the package pulled in plain-crypto-js. This triggered a postinstall script that dropped a cross-platform remote access trojan.
The malware works differently depending on the operating system:
- On Windows, it disguises itself as Windows Terminal and sets up persistence through the registry so it survives reboots.
- On macOS, it uses AppleScript to download and run a background binary.
- On Linux, it drops a Python script that runs silently in the background.
The trojan phones home to a command server immediately after installation. It gathers system information, lists files and processes, and waits for further instructions. Attackers could run commands, inject code, or steal credentials from the infected machine.
The code includes clever cleanup tricks. After running, it deletes its own traces and replaces the package files with clean-looking versions to hide from investigators. Researchers found strong technical links between the macOS payload and tools previously tied to sophisticated threat groups.
Axios Reach Makes This Attack Especially Dangerous
Axios logs more than 80 million downloads per week. It sits inside countless projects built with React, Vue, Node.js backends, and mobile apps. Large companies and small startups alike depend on it for reliable network requests.
Because many development pipelines run automatic updates or install the latest version by default, the attack could have spread fast through continuous integration systems. A single compromised build server might have infected an entire company’s codebase.
The security community reacted swiftly. Researchers from Snyk, Sophos, StepSecurity, and others published detailed analyses within hours. npm removed the malicious packages, and the Axios team urged everyone to downgrade immediately to safe versions 1.14.0 or 0.30.3.
This marks another painful reminder about supply chain risks in open source software. Even well-maintained projects with millions of users remain vulnerable if a single maintainer account gets compromised.
What Developers Should Do Right Now
Check your projects immediately. Run this command in your project directory:
npm ls axios
Look for versions 1.14.1 or 0.30.4. Also search for plain-crypto-js in your node_modules folder.
If you find either, take these steps:
- Remove the affected packages completely
- Downgrade Axios to a known good version
- Clear your npm cache
- Rotate any credentials or API keys that might have been on the affected machines
- Scan systems for suspicious files like wt.exe in ProgramData on Windows or com.apple.act.mond on macOS
For prevention going forward, commit your lockfiles and use npm ci in CI/CD pipelines instead of npm install. Consider tools that scan packages before installation. Enable two-factor authentication everywhere and avoid long-lived tokens when possible.
Many teams now pin exact versions rather than allowing automatic updates to latest. This practice would have protected most users from this specific attack.
The Axios team has promised stronger account protections and better monitoring. npm continues to improve its own security features after similar incidents in recent years.
This attack lasted only a few hours but exposed a deep weakness in how modern development works. Developers move fast and trust the ecosystem. When that trust gets broken, the ripple effects touch countless applications worldwide.
Open source powers the internet, yet it often rests on individual maintainers who balance real jobs with volunteer work. Better support for these maintainers, improved security defaults, and smarter tools could help prevent the next incident.
