Axios npm Hijack 2026: Everything You Need to Know – IOCs, Impact & Remediation
Contents
Axios npm Hijack 2026: Everything You Need to Know – IOCs, Impact & Remediation
On March 31, 2026, a threat actor hijacked the npm account of the lead Axios maintainer and published two malicious versions of one of the world’s most popular JavaScript libraries – Axios (~100M weekly downloads). The malicious versions contained a hidden dependency that silently installed a cross-platform Remote Access Trojan (RAT) the moment any developer or CI/CD pipeline ran npm install.
The malicious versions ([email protected] and [email protected]) were live for approximately 2–3 hours before npm removed them.
If you’re using [email protected] or older → You are not affected.
If you ran npm install between ~00:21–03:15 UTC on March 31, 2026 → Treat affected machines as fully compromised.
Fastest check: Search your lockfiles for [email protected], [email protected], or [email protected].
Timeline of the Axios npm compromise, highlighting the staged plain-crypto-js package and the malicious axios releases published through the hijacked maintainer account. (X)
Timeline of the …
On March 31, 2026, a threat actor hijacked the npm account of the lead Axios maintainer and published two malicious versions of one of the world’s most popular JavaScript libraries – Axios (~100M weekly downloads). The malicious versions contained a hidden dependency that silently installed a cross-platform Remote Access Trojan (RAT) the moment any developer or CI/CD pipeline ran npm install.
The malicious versions ([email protected] and [email protected]) were live for approximately 2–3 hours before npm removed them.
If you’re using [email protected] or older → You are not affected.
If you ran npm install between ~00:21–03:15 UTC on March 31, 2026 → Treat affected machines as fully compromised.
Fastest check: Search your lockfiles for [email protected], [email protected], or [email protected].
Timeline of the Axios npm compromise, highlighting the staged plain-crypto-js package and the malicious axios releases published through the hijacked maintainer account. (X)
Timeline of the …