Axios Supply Chain Attack Exposes Vulnerability in Trusted npm Packages

This is not an April fools joke… it is quite real and perfectly timed to coincide with Aprils Fools day. One thing I would note is the use of 1Password , it is difficult to steal credentials (easily) if they are never stored on your machine(s)… see below: OP_ACCOUNT="QLJC7YLMJZF2NK67MPLY35NR7E" OP_VAULT="euepvpdmqysvtonb63bm3ybcpa" OP_ITEM_ID="3djme2zwhqxoellpksbtf3lrru" echo "=== Retrieving config from 1Password (Convergint) ===" ORG_ID=$(op item get "$OP_ITEM_ID" --vault "$OP_VAULT" --account "$OP_ACCOUNT" --reveal --fields "Organization ID") BASE_URL=$(op item get "$OP_ITEM_ID" --vault "$OP_VAULT" --account "$OP_ACCOUNT" --reveal --fields "BASE_URL") API_KEY=$(op item get "$OP_ITEM_ID" --vault "$OP_VAULT" --account "$OP_ACCOUNT" --reveal --fields credential) echo "Instance: $BASE_URL" echo "Org: $ORG_ID" echo "=== Getting auth token ===" TOKEN=$(curl -s -X POST "$BASE_URL/token" \ -H "Content-Type: application/json" \ -H "x-api-key: $API_KEY" \ -d "{\"org_id\": \"$ORG_ID\"}" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") echo "Token acquired"

This is exactly what we do at Quome. Make it simple to secure yourself against this malicious activity and make it simple to address it by rotating keys for example after the fact.

Axios Supply Chain Attack Shakes npm Ecosystem Trust A recent report highlights a serious supply chain attack involving Axios—one of the most widely used HTTP clients in the JavaScript ecosystem. What happened? Attackers used compromised maintainer credentials to publish malicious versions: * axios@1.14.1 * axios@0.30.4 These versions silently introduced a rogue dependency: `plain-crypto-js@4.2.1`, which executed a post-install script to deploy a Remote Access Trojan (RAT). Why this is critical: * Axios sees ~100M weekly downloads → massive potential impact * The attack targets the install/build phase, not runtime * Secrets (API keys, tokens, SSH keys) could be exfiltrated * Malware cleans up traces → difficult to detect via standard audits Who is affected? Developers or CI/CD pipelines that installed compromised versions Systems where `npm install` executed with scripts enabled Immediate actions to take: Treat affected machines as fully compromised Rotate all secrets (API keys, tokens, credentials) Check for Indicators of Compromise (IOCs): Suspicious temp/system files across macOS, Linux, Windows Lock dependencies and verify package integrity Strengthen supply chain security (e.g., dependency pinning, audit pipelines) #CyberSecurity #SupplyChainAttack #JavaScript #NodeJS #npm #DevSecOps #InfoSec #Axios

Headline: 🚨 Critical Alert: The Axios Supply Chain Attack (March 31, 2026) If you are a JavaScript/TypeScript developer, stop what you are doing and check your package-lock.json. Yesterday, one of the most downloaded libraries in the world—Axios (100M+ weekly downloads)—was the victim of a major supply chain compromise. Attributed to the North Korean-nexus group UNC1069, this attack bypasses standard code reviews using a "phantom dependency" technique. 🔴 What happened? A lead maintainer’s npm account was compromised. The attackers published two malicious versions: - axios@1.14.1 (Latest) - axios@0.30.4 (Legacy) These versions look identical to the original code, but they include a new "phantom" dependency called plain-crypto-js. ⚙️ How it works: 1. Silent Execution: When you run npm install, the postinstall script in the malicious dependency automatically triggers. 2. Cross-Platform Malware: It drops a Remote Access Trojan (RAT) tailored for your OS (Windows, macOS, or Linux). 3. Anti-Forensics: The malware is designed to delete its own installation scripts and replace the package.json with a "clean" stub version immediately after infection to hide its tracks from developers. 🛡️ How to resolve and audit: 1. Search your Lockfile: Don't just look in package.json. Search your package-lock.json or yarn.lock for plain-crypto-js or the specific Axios versions above. 2. Check your tree: Run npm ls plain-crypto-js. If it shows up, your environment is likely compromised. 3. Rollback & Pin: Revert to axios@1.14.0 or axios@0.30.3. Avoid using ^ or latest tags for now. 4. Assume Breach: If you found the malicious package, rotate all environment secrets (.env keys, AWS tokens, etc.) and treat that machine as "hot." The npm team has removed the versions, but the window of exposure was roughly 3 hours—enough time to infect thousands of CI/CD pipelines. Stay safe and audit your dependencies today! #CyberSecurity #NodeJS #Javascript #WebDev #AppSec #SupplyChainAttack #Axios

Axios just got hacked. Here's what every developer needs to know. Last night (March 30), North Korean hackers compromised the npm account of the lead maintainer of axios -- the JavaScript HTTP library downloaded 100M+ times per week. They published two backdoored versions: - axios@1.14.1 (tagged "latest") - axios@0.30.4 (tagged "legacy") Both contained a hidden dependency (plain-crypto-js) that deployed a cross-platform RAT (Remote Access Trojan) on macOS, Windows, and Linux. The attack was live for ~3 hours before being detected. If you ran `npm install` during that window, your machine may be compromised. What you should do RIGHT NOW: 1. Check your lockfile for axios@1.14.1 or @0.30.4 2. Search for "plain-crypto-js" in your node_modules 3. Rotate ALL secrets, API keys, and credentials 4. Enable 2FA on your npm account 5. Pin exact dependency versions 6. Consider using --ignore-scripts This attack was attributed to UNC1069 by Google Threat Intelligence Group. Supply chain attacks are not theoretical. They're happening to the packages you use every single day. Share this with your team. One developer running npm install in that window could compromise your entire infrastructure. #InfoSec #SupplyChainAttack #Axios #npm #CyberSecurity #DevSecOps #SoftwareEngineering #WebDevelopment #NodeJS #JavaScript

Axios just got hacked. Here's what every developer needs to know. Last night (March 30), North Korean hackers compromised the npm account of the lead maintainer of axios -- the JavaScript HTTP library downloaded 100M+ times per week. They published two backdoored versions: - axios@1.14.1 (tagged "latest") - axios@0.30.4 (tagged "legacy") Both contained a hidden dependency (plain-crypto-js) that deployed a cross-platform RAT (Remote Access Trojan) on macOS, Windows, and Linux. The attack was live for ~3 hours before being detected. If you ran `npm install` during that window, your machine may be compromised. What you should do RIGHT NOW: 1. Check your lockfile for axios@1.14.1 or @0.30.4 2. Search for "plain-crypto-js" in your node_modules 3. Rotate ALL secrets, API keys, and credentials 4. Enable 2FA on your npm account 5. Pin exact dependency versions 6. Consider using --ignore-scripts This attack was attributed to UNC1069 by Google Threat Intelligence Group. Supply chain attacks are not theoretical. They're happening to the packages you use every single day. Share this with your team. One developer running npm install in that window could compromise your entire infrastructure. #InfoSec #SupplyChainAttack #Axios #npm #CyberSecurity #DevSecOps #SoftwareEngineering #WebDevelopment #NodeJS #JavaScript

Axios just got hacked. Here's what every developer needs to know. Last night (March 30), North Korean hackers compromised the npm account of the lead maintainer of axios -- the JavaScript HTTP library downloaded 100M+ times per week. They published two backdoored versions: - axios@1.14.1 (tagged "latest") - axios@0.30.4 (tagged "legacy") Both contained a hidden dependency (plain-crypto-js) that deployed a cross-platform RAT (Remote Access Trojan) on macOS, Windows, and Linux. The attack was live for ~3 hours before being detected. If you ran `npm install` during that window, your machine may be compromised. What you should do RIGHT NOW: 1. Check your lockfile for axios@1.14.1 or @0.30.4 2. Search for "plain-crypto-js" in your node_modules 3. Rotate ALL secrets, API keys, and credentials 4. Enable 2FA on your npm account 5. Pin exact dependency versions 6. Consider using --ignore-scripts This attack was attributed to UNC1069 by Google Threat Intelligence Group. Supply chain attacks are not theoretical. They're happening to the packages you use every single day. Share this with your team. One developer running npm install in that window could compromise your entire infrastructure. #InfoSec #SupplyChainAttack #Axios #npm #CyberSecurity #DevSecOps #SoftwareEngineering #WebDevelopment #NodeJS #JavaScript

Two weeks ago, the axios npm package was compromised in one of the largest supply chain attacks ever documented. North Korean hackers hijacked the maintainer's account and published two malicious versions (1.14.1 and 0.30.4) that silently installed a Remote Access Trojan on your machine, only if you are using "npm". I know, I'm late to write about this. But something kept bugging me. Was I affected? How to trace it back? I opened Windows Event Manager. Unless process auditing was already turned on before March 31, the logs simply aren't there. So I closed the laptop for a second and thought about it differently. I opened my calendar. Where was I on the night of March 30 to 31? I was traveling. I wasn't near my laptop. I checked my Git history. Any commits or pushes around that 3-hour window (00:21 to 03:15 UTC)? Nothing. I checked my browser history. Any npm docs, GitHub, Stack Overflow activity that night? Nope. And that was enough for me. The attack only triggers at install time, not at runtime. If you didn't run npm install during that window, the malicious postinstall hook never fired. You were never exposed. So if you're a developer who's still unsure, here's a simple checklist you can go through right now: Were you even at your computer that night? ✅ Check your calendar. ✅ Check your browser history If no, you are safe; if yes, do the following: ✅ Check your Git log ✅ Check your npm logs ✅ Check your package-lock.json for axios@1.14.1 or axios@0.30.4 ✅ Look for a plain-crypto-js folder inside node_modules (it should never be there in a clean axios install) ✅ On Windows, check if %PROGRAMDATA%\wt.exe exists (that's the RAT artifact) Sometimes the best forensics tool isn't a SIEM or an EDR. It's your own memory, creativity and basic tools. image source: https://lnkd.in/gKkkJ3Fi #javascript #nodejs #npm #cybersecurity #webdevelopment #fullstack #axios #developerlife

🚨 URGENT: Massive Supply Chain Attack on the axios npm package!. If you or your team use JavaScript/Node.js, please read and share this immediately to protect your infrastructure. On March 30-31, 2026, attackers compromised a core maintainer's account and published malicious versions of the axios library: 1.14.1 and 0.30.4. As the most popular JS HTTP client with over 100 million weekly downloads, the potential blast radius of this attack is massive. ⚠️ HOW THE ATTACK WORKS: The compromised versions do not alter the axios code itself; instead, they inject a phantom dependency named plain-crypto-js@4.2.1. The moment you run npm install, a hidden postinstall script silently executes a Remote Access Trojan (RAT) designed for macOS, Windows, and Linux. This malware gives attackers complete control over the infected system, stealing sensitive credentials, API keys, crypto wallets, and cloud tokens. To make matters worse, the malware immediately deletes its source files and swaps its manifest with a clean decoy to evade post-incident detection. 🛡️ IMMEDIATE ACTIONS TO TAKE: 1️⃣ Audit your environments: Check your package-lock.json, yarn.lock, and pnpm-lock.yaml for axios@1.14.1 or axios@0.30.4. You should also look for a plain-crypto-js folder in your node_modules. 2️⃣ Downgrade to safe versions: Pin your dependencies to axios@1.14.0 (for 1.x users) or axios@0.30.3 (for 0.x users). 3️⃣ Assume compromise & rotate keys: If your system or CI/CD pipeline installed the vulnerable versions, treat the machine as fully compromised. Do not attempt to clean the infection in place—rebuild your machines/containers from a known-good state. Rotate all session tokens, API keys, SSH keys, and cloud credentials immediately! Security is a collective effort. Check your repositories today and remind your team to use --ignore-scripts where possible to prevent post-install hooks from running automatically. Stay safe! #CyberSecurity #AppSec #JavaScript #NodeJS #Axios #SupplyChainAttack #Infosec #DevSecOps #OpenSourceSecurity #MalwareAlert

🚨 CRITICAL SECURITY ALERT: Axios NPM Supply Chain Attack (March 31, 2026) If your team uses Axios (the JavaScript library with 100M+ weekly downloads), stop what you are doing and check your package-lock.json immediately. A sophisticated supply chain attack has just compromised the Axios NPM distribution. Here is the breakdown of what happened and how to secure your infrastructure: 🔍 The Breach Details: A lead maintainer’s account was hijacked to publish malicious versions of Axios. This wasn't just a code tweak—it was a full-scale Remote Access Trojan (RAT) deployment. ⚠️ Affected Versions: axios@1.14.1 (Latest) axios@0.30.4 (Legacy) 🛠️ How it Happened: Account Hijack: The attacker bypassed security to gain publishing rights. Phantom Dependency: A malicious package (plain-crypto-js@4.2.1) was added. Post-Install Trigger: Running npm install automatically executed a script that downloaded a platform-specific RAT (Windows, macOS, Linux). Self-Cleaning: The malware attempted to delete its own tracks after infection. 🛑 Immediate Action Plan: Audit: Search your lockfiles for the versions listed above. Revoke & Rotate: If you installed these versions, assume your environment is breached. Rotate ALL AWS keys, NPM tokens, and SSH keys. Clean Slate: Do not just "npm uninstall." Rebuild your CI/CD runners and dev workstations from a clean baseline. Pin Versions: Ensure your package.json points to safe versions (e.g., 1.14.0 or the newly patched 1.14.2). This is a massive reminder that Zero Trust must extend to our dependencies. Is your team using automated tools like Snyk or Socket to catch these in real-time? Let’s discuss in the comments. 👇 #CyberSecurity #AppSec #JavaScript #NPM #SupplyChainAttack #SoftwareEngineering #InfoSec #WebDev #Axios