On March 31, 2026, one of the most widely used JavaScript libraries in the world — Axios — was compromised. An attacker hijacked the npm account of the lead maintainer and published backdoored versions that silently installed a Remote Access Trojan on every machine that ran npm install. Here's the full story.
What Is Axios?
If you're a JavaScript developer, you've probably used Axios. It's the go-to HTTP client library with over 100 million weekly downloads on npm. It's present in roughly 80% of cloud and code environments worldwide. Almost every React, Node.js, and full-stack project depends on it.
That's exactly what made it the perfect target.
What Happened
Just after midnight UTC on March 31, an attacker compromised the npm account of "jasonsaayman," the lead Axios maintainer. They changed the account's email to a Proton Mail address under their control and then published two malicious versions: axios@1.14.1 (tagged as latest) and axios@0.30.4 (tagged as legacy).
The attacker didn't use the normal GitHub Actions CI/CD pipeline. Instead, they published directly using the npm CLI with a stolen long-lived access token — completely bypassing the project's usual security checks.
The Payload
The malicious versions injected a hidden dependency called plain-crypto-js@4.2.1. This package had a postinstall hook that silently downloaded and executed a cross-platform RAT (Remote Access Trojan) from an attacker-controlled server.
The RAT worked on Windows, macOS, and Linux. The moment any developer or CI/CD pipeline ran npm install, their system was compromised — silently and completely.
The Damage
The attack was timed perfectly — published overnight on a Sunday to maximize the exposure window before anyone could respond. The malicious packages were live for approximately three hours before npm's security team pulled them down.
But three hours was enough. According to Huntress, at least 135 endpoints across all operating systems contacted the attacker's command-and-control infrastructure during that window. Given Axios's massive install base, this is potentially one of the largest npm supply chain attacks in history.
How to Check If You're Affected
Run this in your project right now:
npm ls axiosIf you see axios@1.14.1 or axios@0.30.4, your system may be compromised. Also check for the malicious dependency:
ls node_modules/plain-crypto-jsIf that folder exists — treat the machine as compromised immediately.
How to Fix It
Immediate steps:
Downgrade to axios@1.14.0 or axios@0.30.3 (the last clean versions)
Delete
plain-crypto-jsfrom yournode_modulesClear your npm, yarn, and pnpm caches on all machines and build servers
Rotate all credentials and secrets on any affected machine
Prevent this in the future:
Pin exact versions in
package.json(use1.14.0, not^1.14.0)Always use
npm ciinstead ofnpm installin your CI/CD pipelinesCommit your
package-lock.jsonto version controlConsider a package release cooldown policy — reject packages published within the last 72 hours
Enable npm provenance checks to verify packages were built through legitimate CI/CD
The Lesson
This attack is a wake-up call. We trust npm install blindly every day, but a single compromised maintainer account can turn a trusted library into a weapon. As developers, we need to take dependency security as seriously as we take writing code.
Lock your versions. Audit your dependencies. And never assume that popular means safe.
