Critical Supply Chain Attack Compromises Popular Axios NPM Package with Remote Access Trojan
Key Takeaways
- ▸Two malicious Axios npm versions (v1.14.1 and v0.30.4) deployed a platform-specific remote access trojan via a fake post-install dependency called 'plain-crypto-js'
- ▸Despite only being available for three hours, the attack potentially affected millions of deployments given Axios's 100 million weekly downloads across JavaScript applications
- ▸The RAT enables threat actors to exfiltrate credentials and execute arbitrary payloads, creating significant risk for follow-on attacks and credential compromise across supply chain
Summary
On March 31, 2026, two malicious versions of the widely-used Axios JavaScript library (v1.14.1 and v0.30.4) were deployed to the official npm repository in a sophisticated supply chain attack discovered and investigated by Cisco Talos. Axios is downloaded approximately 100 million times per week, making this a critical security incident affecting potentially millions of applications and organizations. The malicious packages were available for only three hours but introduced a fake runtime dependency that automatically executes a platform-specific remote access trojan (RAT) without user interaction.
The attack leveraged a post-install script that deploys different payloads depending on the operating system: a binary for MacOS, a PowerShell script for Windows, and a Python backdoor for Linux. All payloads communicate with actor-controlled infrastructure to exfiltrate system information and credentials, enabling the threat actors to gain persistent remote access and deploy additional malicious code. Cisco Talos strongly recommends that all organizations immediately roll back to known safe versions (v1.14.0 or v0.30.3), investigate systems that downloaded the malicious packages, and treat all credentials on affected systems as compromised and rotate them immediately.
- Organizations must immediately roll back to safe versions, investigate all affected systems, and rotate all credentials present on compromised machines
Editorial Opinion
This supply chain attack on Axios represents a critical vulnerability in the open-source JavaScript ecosystem and highlights the persistent risk that popular libraries pose when compromised. The fact that such a widely-downloaded package could be poisoned—even briefly—underscores the need for stronger package integrity verification, faster detection mechanisms, and more robust dependency management practices across the industry. Organizations relying on npm packages should urgently audit their supply chain security posture and implement stricter controls around dependency updates.
