Axios npm Package Compromised in Supply Chain Attack, 100M+ Weekly Downloads Affected
Attackers hijacked the lead maintainer's npm account to publish malicious versions of the Axios HTTP client, deploying a cross-platform RAT via a phantom dependency.
The JavaScript ecosystem's most popular HTTP client, Axios, with over 100 million weekly npm downloads, was compromised on March 30, 2026, when attackers hijacked the lead maintainer's npm account and published two poisoned versions (1.14.1 and 0.30.4). The malicious code introduced a phantom dependency, plain-crypto-js@4.2.1, which executed a postinstall hook to deploy a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. After infection, the malware replaced its own files with clean decoys, making detection challenging.
The attack was pre-staged over approximately 18 hours. The attacker first published a clean decoy package, plain-crypto-js@4.2.0, to build registry history, then released the malicious plain-crypto-js@4.2.1 with the payload. Within six minutes of the malicious Axios versions being published, automated npm security scanners flagged the dependency as malware. npm administration removed all compromised versions and revoked tokens by approximately 03:30 UTC on March 31.
The attacker compromised the account of jasonsaayman, the lead maintainer of the Axios project on npm, changing the email to an attacker-controlled ProtonMail address. Notably, every legitimate Axios 1.x release is published via GitHub Actions with npm's OIDC Trusted Publisher mechanism, which cryptographically binds the publish to a verified CI workflow. The malicious 1.14.1 was published manually with a stolen npm access token, with no OIDC binding and no gitHead. There is no commit, tag, or release in the Axios GitHub repository corresponding to either malicious version.
When an Axios collaborator, DigitalBrainJS, attempted to respond, the attacker used the hijacked credentials (which had admin-level permissions) to unpin and delete disclosure issues. The collaborator stated publicly: "It's pointless. Since access to git and the npm repository is compromised, and his git permissions are higher than mine. I'm a collaborator, not an admin. I can't revoke his access. Whatever I fix, he will 'fix' it after me."
The only change in both poisoned Axios versions is the addition of plain-crypto-js@^4.2.1 as a dependency. This package is never imported or require()'d anywhere in the Axios source code. It exists solely to trigger npm's automatic dependency resolution and execute its postinstall hook, a defining characteristic of a phantom dependency attack. The plain-crypto-js@4.2.1 package was flagged as known malware with a 0% supply chain security score by multiple automated scanners within minutes of publication.
Trend Micro's telemetry observed activity consistent with this threat affecting organizations across multiple industries, including Government, Finance, Retail, Consulting, Entertainment, Manufacturing, Technology, Healthcare, and Utilities. The attack highlights critical gaps in supply chain security, especially around dependency pinning and CI/CD pipeline protections. The attacker bypassed GitHub Actions' OIDC Trusted Publisher safeguards by manually publishing poisoned versions using a stolen npm token, leaving no trace in the official GitHub repository.
This incident underscores the vulnerability of the open-source ecosystem to supply chain attacks, where a single compromised maintainer account can weaponize a widely used library. Users who installed Axios versions 1.14.1 or 0.30.4 should immediately rotate any credentials exposed on affected systems and scan for signs of the RAT. The broader lesson is that even packages with robust CI/CD protections can be undermined if attackers gain access to maintainer tokens with sufficient privileges.