Axios NPM Distribution Compromised in Supply Chain Attack
Contents
Axios NPM Distribution Compromised in Supply Chain Attack
A compromised axios maintainer account led to malicious npm releases that propagated across environments. Learn how to assess impact, detect compromise, and secure your development workflows.
On March 31, 2026 (at 00:21 UTC for v1.14.1 and 01:00 UTC for v0.30.4), an unknown threat actor compromised the npm account of an axios maintainer and published two malicious versions of the npm package (v1.14.1, v0.30.4), which introduced a dependency on plain-crypto-js, a newly created malicious package. Although the malicious versions were removed within a few hours, axios’s widespread usage - present in ~80% of cloud and code environments and downloaded ~100 million times per week - enabled rapid exposure, with observed execution in 3% of affected environments. Organizations are strongly advised to audit their environments for potential execution of these versions (tracked as GHSA-fw8c-xr5c-95f9 and MAL-2026-2306).
Technical Details
The malicious versions of axios differed from legitimate releases by …
A compromised axios maintainer account led to malicious npm releases that propagated across environments. Learn how to assess impact, detect compromise, and secure your development workflows.
On March 31, 2026 (at 00:21 UTC for v1.14.1 and 01:00 UTC for v0.30.4), an unknown threat actor compromised the npm account of an axios maintainer and published two malicious versions of the npm package (v1.14.1, v0.30.4), which introduced a dependency on plain-crypto-js, a newly created malicious package. Although the malicious versions were removed within a few hours, axios’s widespread usage - present in ~80% of cloud and code environments and downloaded ~100 million times per week - enabled rapid exposure, with observed execution in 3% of affected environments. Organizations are strongly advised to audit their environments for potential execution of these versions (tracked as GHSA-fw8c-xr5c-95f9 and MAL-2026-2306).
Technical Details
The malicious versions of axios differed from legitimate releases by …