Axios Compromised: Malicious Versions Impact 80% of Cloud Environments
Key moments
On March 31, 2026, the npm account of an axios maintainer was compromised, leading to the publication of two malicious versions of the widely used JavaScript library. These versions, v1.14.1 and v0.30.4, were available for approximately three hours before being removed from the npm repository.
The malicious versions included a dependency on a trojanized package called plain-crypto-js, which functioned as a dropper that downloaded and executed platform-specific payloads. These payloads acted as lightweight remote access trojans (RATs), posing a significant security threat to users and organizations relying on axios.
Axios is a critical library for making HTTP/S requests, and its widespread use means that the attack impacted approximately 80% of cloud and code environments. With around 100 million downloads per week, the malicious versions reached a vast number of applications, raising alarms across the software development community.
Initial reports indicate that the malicious versions were downloaded extensively, with an observed execution rate of 3% in affected environments. This statistic underscores the potential scale of the compromise, as many organizations may have unknowingly integrated the malicious code into their systems.
Security experts noted that the attack involved a pre-staged decoy package designed to appear legitimate, further complicating detection efforts. The malicious package was engineered to send beacons to a command and control (C2) server every 60 seconds, allowing attackers to maintain control over compromised systems.
Organizations are strongly advised to audit their environments for potential execution of these malicious versions. The incident has prompted significant concern, as the attacker may have obtained repo access, signing keys, API keys, or other secrets that could facilitate future attacks or backdoor releases.
In response to the breach, experts emphasized the importance of vigilance in software supply chains, particularly for libraries like axios that serve as transitive dependencies across millions of applications. Any post-infection inspection of the node_modules/plain-crypto-js/package.json will show a completely clean manifest, which highlights the sophistication of the attack.
As the situation develops, organizations are urged to remain alert and implement necessary security measures to protect their environments from potential threats stemming from this incident. Details remain unconfirmed regarding the full extent of the compromise and the specific methods employed by the attackers.