Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise
Contents
Security News
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
April 2, 2026
4 min read
On March 31, two malicious versions of Axios were briefly published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux.
We covered the initial attack and its scope earlier, as well as a deeper technical analysis of its hidden blast radius and how dependency resolution expanded its impact exponentially.
Now, the project’s lead maintainer has shared additional details about how the compromise occurred.
In a comment on GitHub, Axios maintainer Jason Saayman explained that the attack was the result of a targeted social engineering campaign.
He reported that the attacker posed as a legitimate, …
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
April 2, 2026
4 min read
On March 31, two malicious versions of Axios were briefly published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux.
We covered the initial attack and its scope earlier, as well as a deeper technical analysis of its hidden blast radius and how dependency resolution expanded its impact exponentially.
Now, the project’s lead maintainer has shared additional details about how the compromise occurred.
In a comment on GitHub, Axios maintainer Jason Saayman explained that the attack was the result of a targeted social engineering campaign.
He reported that the attacker posed as a legitimate, …