OPEN LINK ↗
// 58d agoSECURITY INCIDENT
Axios npm compromise drops RAT
Two malicious npm releases, `1.14.1` and `0.30.4`, were published from a compromised maintainer account and used a hidden dependency to trigger a postinstall remote access trojan. Because Axios is a default HTTP client across Node and browser apps, the supply-chain blast radius is unusually large.
// ANALYSIS
This is a textbook package-reputation attack: the source code stayed clean, but the release pipeline was hijacked, which is exactly where modern dependency defenses need to focus.
- –`plain-crypto-js@4.2.1` appears to have been added purely as a phantom dependency to run `postinstall`, so source review of axios itself would not catch the payload.
- –The malicious publish hit both the modern `1.x` line and the legacy `0.x` line, which widens exposure across teams with different pinning habits.
- –StepSecurity’s guidance is blunt: treat installs of `axios@1.14.1` or `axios@0.30.4` as compromised, roll back to the last known-good versions, and rotate secrets on affected hosts.
- –The incident also shows why trusted publishing and provenance checks matter; Axios’s normal GitHub Actions/OIDC release pattern was bypassed here.
- –For defenders, this is a reminder to monitor npm egress, lock dependency ranges, and flag any package that introduces an unused runtime dependency without a corresponding source change.
// TAGS
axiosapisdkopen-sourcesafety
DISCOVERED
58d ago
2026-03-31
PUBLISHED
58d ago
2026-03-31
RELEVANCE
9/ 10
AUTHOR
mtud