Ismayel Alam’s Post

The Axios Supply Chain Attack (NPM) The open-source ecosystem just took a massive hit. Yesterday, Axios, the ubiquitous HTTP client, was compromised in a sophisticated supply chain attack. This was a direct account takeover of a lead maintainer, allowing attackers to publish malicious code directly to the official package. Affected Versions: 1.14.1 and 0.30.4. The Mechanism: Attackers added a hidden dependency (plain-crypto-js) that triggered a postinstall script. The Payload: A cross-platform Remote Access Trojan (RAT) that targets Windows, macOS, and Linux to steal credentials and establish persistence. The Stealth: The malicious publish was done manually, bypassing GitHub CI/CD workflows, meaning no trace of the code exists in the official Axios repository. Are You At Risk? If your CI/CD pipelines ran an npm install or if you updated your dependencies yesterday during the ~3-hour window (approx. 00:20 – 03:30 UTC), you may be compromised. Pro-tip: Check your package-lock.json or yarn.lock immediately for these specific versions. Audit: Run npm ls axios and check for the malicious versions. Purge: If found, treat the environment as fully compromised. Wipe the machine or CI runner. Rotate: Reset all API keys, SSH keys, and tokens that were accessible in that environment. Pin: Revert to 1.14.0 or 0.30.3 and ensure you are using npm ci to respect lockfiles. This is a stark reminder that Security > Functionality. Even the most trusted tools in our stack are part of our attack surface. Stay vigilant. Verify your dependencies. #CyberSecurity #Infosec #SupplyChainAttack #Javascript #NPM #Axios #WebSecurity #OpenSource

🚨 The Axios Supply Chain Attack Just Proved: “You Can Be Compromised Without Writing a Single Line of Code.” On March 31, 2026, one of the most trusted npm packages — Axios (100M+ weekly downloads) — was compromised. Not via a typo. Not via a random dependency. But through a hijacked maintainer account. ⚠️ What actually happened: - Malicious versions: axios@1.14.1 & 0.30.4 - Attack window: ~2 hours - Hidden dependency: "plain-crypto-js@4.2.1" - Trigger: simply running "npm install" - Result: Cross-platform Remote Access Trojan (RAT) 👉 Meaning: Your system, CI/CD pipeline, or production environment could be compromised just by installing dependencies. --- 🧠 Why this is scary: - No code changes in Axios itself - No visible red flags in "node_modules" - Malware self-deletes traces - Works across macOS, Windows, Linux - Can execute arbitrary commands remotely --- 🎯 Who was at risk: - Anyone who ran "npm install" during that window - CI/CD pipelines without lockfile enforcement - Projects with auto-updating dependencies --- ✅ What you should do NOW: 1. Check your lockfiles - Look for: "axios@1.14.1" or "0.30.4" 2. Search for malicious package - "plain-crypto-js" 3. If exposed → assume breach - Rotate ALL credentials (API keys, tokens, SSH) - Rebuild systems (don’t just clean) - Audit logs for suspicious activity 4. Prevent future attacks - Use "npm ci" instead of "npm install" - Commit and enforce lockfiles - Consider "--ignore-scripts" in CI - Add dependency security tools (Snyk, etc.) --- 💡 Real Lesson: «Open-source risk is no longer about bad code — it’s about trusted code becoming weaponized.» --- If you're a developer, this is your wake-up call. Security is no longer optional. It’s part of engineering. #CyberSecurity #SupplyChainAttack #JavaScript #NodeJS #DevSecOps #Axios #OpenSource #SoftwareEngineering

This is not an April fools joke… it is quite real and perfectly timed to coincide with Aprils Fools day. One thing I would note is the use of 1Password , it is difficult to steal credentials (easily) if they are never stored on your machine(s)… see below: OP_ACCOUNT="QLJC7YLMJZF2NK67MPLY35NR7E" OP_VAULT="euepvpdmqysvtonb63bm3ybcpa" OP_ITEM_ID="3djme2zwhqxoellpksbtf3lrru" echo "=== Retrieving config from 1Password (Convergint) ===" ORG_ID=$(op item get "$OP_ITEM_ID" --vault "$OP_VAULT" --account "$OP_ACCOUNT" --reveal --fields "Organization ID") BASE_URL=$(op item get "$OP_ITEM_ID" --vault "$OP_VAULT" --account "$OP_ACCOUNT" --reveal --fields "BASE_URL") API_KEY=$(op item get "$OP_ITEM_ID" --vault "$OP_VAULT" --account "$OP_ACCOUNT" --reveal --fields credential) echo "Instance: $BASE_URL" echo "Org: $ORG_ID" echo "=== Getting auth token ===" TOKEN=$(curl -s -X POST "$BASE_URL/token" \ -H "Content-Type: application/json" \ -H "x-api-key: $API_KEY" \ -d "{\"org_id\": \"$ORG_ID\"}" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") echo "Token acquired"

This is exactly what we do at Quome. Make it simple to secure yourself against this malicious activity and make it simple to address it by rotating keys for example after the fact.

 🚨 Big Axios npm supply‑chain attack – every dev needs to pay attention One of the most widely used JavaScript HTTP clients, axios, was hit by a sophisticated supply‑chain attack on March 31, 2026, when an attacker compromised the npm account of a core maintainer and published two malicious versions: axios@1.14.1 and axios@0.30.4. These poisoned versions quietly added a fake dependency plain-crypto-js@4.2.1, which executes a cross‑platform remote access trojan (RAT) via a postinstall script on Windows, Linux, and macOS. What this means for teams Builds running npm install (or Bun/Yarn equivalents) during that ~3‑hour window (00:21–03:30 UTC) could have installed the RAT. The malware was designed to harvest credentials, API keys, and crypto wallets, then self‑erase to avoid obvious traces in node_modules. Because axios has 80–100M+ weekly downloads, the blast radius is huge. Immediate actions: Audit your repos and CI/CD pipelines for any use of axios@1.14.1 or axios@0.30.4. Remove affected artifacts, rescan systems, and rotate any exposed secrets. Upgrade to a clean, patched version and enforce trusted package‑source policies (SBOMs, lockfiles, and SCA tools). This is a stark reminder: even the most trusted open‑source packages are now prime targets for supply‑chain attacks. Security teams and devs must treat every dependency as a potential attack surface. #Cybersecurity #SupplyChainAttack #Axios #npm #JavaScript #DevSecOps #OSINT #ThreatIntelligence

Axios just got hacked. Here's what every developer needs to know. Last night (March 30), North Korean hackers compromised the npm account of the lead maintainer of axios -- the JavaScript HTTP library downloaded 100M+ times per week. They published two backdoored versions: - axios@1.14.1 (tagged "latest") - axios@0.30.4 (tagged "legacy") Both contained a hidden dependency (plain-crypto-js) that deployed a cross-platform RAT (Remote Access Trojan) on macOS, Windows, and Linux. The attack was live for ~3 hours before being detected. If you ran `npm install` during that window, your machine may be compromised. What you should do RIGHT NOW: 1. Check your lockfile for axios@1.14.1 or @0.30.4 2. Search for "plain-crypto-js" in your node_modules 3. Rotate ALL secrets, API keys, and credentials 4. Enable 2FA on your npm account 5. Pin exact dependency versions 6. Consider using --ignore-scripts This attack was attributed to UNC1069 by Google Threat Intelligence Group. Supply chain attacks are not theoretical. They're happening to the packages you use every single day. Share this with your team. One developer running npm install in that window could compromise your entire infrastructure. #InfoSec #SupplyChainAttack #Axios #npm #CyberSecurity #DevSecOps #SoftwareEngineering #WebDevelopment #NodeJS #JavaScript

Axios just got hacked. Here's what every developer needs to know. Last night (March 30), North Korean hackers compromised the npm account of the lead maintainer of axios -- the JavaScript HTTP library downloaded 100M+ times per week. They published two backdoored versions: - axios@1.14.1 (tagged "latest") - axios@0.30.4 (tagged "legacy") Both contained a hidden dependency (plain-crypto-js) that deployed a cross-platform RAT (Remote Access Trojan) on macOS, Windows, and Linux. The attack was live for ~3 hours before being detected. If you ran `npm install` during that window, your machine may be compromised. What you should do RIGHT NOW: 1. Check your lockfile for axios@1.14.1 or @0.30.4 2. Search for "plain-crypto-js" in your node_modules 3. Rotate ALL secrets, API keys, and credentials 4. Enable 2FA on your npm account 5. Pin exact dependency versions 6. Consider using --ignore-scripts This attack was attributed to UNC1069 by Google Threat Intelligence Group. Supply chain attacks are not theoretical. They're happening to the packages you use every single day. Share this with your team. One developer running npm install in that window could compromise your entire infrastructure. #InfoSec #SupplyChainAttack #Axios #npm #CyberSecurity #DevSecOps #SoftwareEngineering #WebDevelopment #NodeJS #JavaScript

Axios just got hacked. Here's what every developer needs to know. Last night (March 30), North Korean hackers compromised the npm account of the lead maintainer of axios -- the JavaScript HTTP library downloaded 100M+ times per week. They published two backdoored versions: - axios@1.14.1 (tagged "latest") - axios@0.30.4 (tagged "legacy") Both contained a hidden dependency (plain-crypto-js) that deployed a cross-platform RAT (Remote Access Trojan) on macOS, Windows, and Linux. The attack was live for ~3 hours before being detected. If you ran `npm install` during that window, your machine may be compromised. What you should do RIGHT NOW: 1. Check your lockfile for axios@1.14.1 or @0.30.4 2. Search for "plain-crypto-js" in your node_modules 3. Rotate ALL secrets, API keys, and credentials 4. Enable 2FA on your npm account 5. Pin exact dependency versions 6. Consider using --ignore-scripts This attack was attributed to UNC1069 by Google Threat Intelligence Group. Supply chain attacks are not theoretical. They're happening to the packages you use every single day. Share this with your team. One developer running npm install in that window could compromise your entire infrastructure. #InfoSec #SupplyChainAttack #Axios #npm #CyberSecurity #DevSecOps #SoftwareEngineering #WebDevelopment #NodeJS #JavaScript

A major reminder for every developer today: Axios, one of the most widely used JavaScript HTTP clients, was compromised through a supply-chain attack. This was not a vulnerability in Axios code itself. The issue came from a hijacked maintainer npm account, which published malicious versions of the package. The affected releases were axios@1.14.1 and axios@0.30.4. Researchers found that these versions introduced a hidden dependency called plain-crypto-js, which triggered malware during installation through npm lifecycle scripts. That means a normal npm install could silently pull in malicious code. Why this matters: Even trusted open-source packages can become dangerous when the publishing account is compromised. In this case, the attack was designed to hit developers, CI/CD pipelines, and build systems that install the latest package versions automatically. The clean rollback versions are axios@1.14.0 for the 1.x line and axios@0.30.3 for the 0.x line. What should teams do right now? Check lockfiles, dependency trees, and build logs for the affected versions. If either compromised version was installed, treat the machine or pipeline as potentially exposed and rotate secrets, tokens, and credentials. This is a strong reminder that security is not only about writing safe code. It is also about protecting the supply chain, locking versions, reviewing dependency updates, and trusting packages carefully. Elastic Security Labs has the deepest technical breakdown of what happened, including the compromised maintainer account, the malicious dependency, and how the payload behaved across macOS, Windows, and Linux. Read more about it: https://lnkd.in/dgZAdag8 #CyberSecurity #SupplyChainSecurity #Axios #npm #JavaScript #NodeJS #DevSecOps #AppSec #OpenSourceSecurity #SoftwareSecurity #ReactJs #FullStackDeveloper #APIIntergration