Malicious Code Injected into Popular Axios Packages Following NPM Account Compromise
AI-generated from multiple sources. Verify before acting on this reporting.
LOS ANGELES — A malicious version of the widely used Axios HTTP client library was distributed through the npm registry on March 31, 2026, following the compromise of an account associated with the package’s maintenance.
The incident involved versions 1.14.1 and 0.30.4 of the Axios package, which were injected with a dependency on a malicious version of the plain-crypto-js library, version 4.2.1. The compromised packages were published to the npm registry at 06:44:05 UTC on March 31, 2026.
Security researchers identified that the injected dependency contained remote access trojan (RAT) malware capable of operating across multiple platforms. The malware was designed to execute on systems that installed the compromised Axios packages, potentially allowing unauthorized remote control of affected devices.
The specific identity of the actor or actors responsible for the account compromise remains unknown. No claim of responsibility has been made, and the method used to gain access to the npm account has not been disclosed. The scope of the compromise is currently under investigation, with efforts underway to determine how many developers and organizations may have installed the malicious versions.
Axios is a foundational tool in modern web development, used extensively for making HTTP requests in both browser and Node.js environments. The widespread adoption of the library means that the impact of the compromised versions could be significant across various sectors, including enterprise applications, startups, and open-source projects.
Developers who installed the affected versions are advised to immediately audit their dependencies and remove the malicious plain-crypto-js@4.2.1 package. System administrators should scan networks for signs of RAT activity and monitor for unauthorized access or data exfiltration. The npm registry has since removed the malicious versions, but the compromised packages may still exist in local caches or dependency trees of affected systems.
The incident highlights the ongoing risks associated with supply chain attacks in the software development ecosystem. Compromised package registries can serve as vectors for distributing malware to a vast number of downstream users, often without immediate detection.
Questions remain regarding the full extent of the breach and whether other packages associated with the compromised account were similarly affected. Investigators are working to trace the origin of the attack and determine if any data was exfiltrated from systems that installed the malicious code. The npm team has not yet released a detailed timeline of the incident or confirmed whether additional security measures are being implemented to prevent similar compromises in the future.
As of now, no specific organizations have publicly confirmed that they were impacted by the attack. The situation remains fluid, with security teams continuing to assess the threat landscape and advise on mitigation strategies.