Axios npm package compromised to deploy malware
Contents
Axios npm package compromised to deploy malware
March 31, 2026
Author - Sophos Logo
Written by Sophos Counter Threat Unit Research Team
Axios npm package compromised to deploy malware - featured image
Threat Research
advisory
NPM
Axios
Copy linkLink Copied
X (Twitter) logo
LinkedIn logo
Facebook logo
On March 30, 2026, a supply chain security attack targeted Axios, a widely used JavaScript HTTP client for web and Node.js applications. Third-party researchers identified that Axios versions 1.14.1 and 0.30.4 published to the npm registry were compromised following the apparent takeover of a legitimate maintainer account. An attacker published unauthorized package updates that appeared legitimate.
The affected releases introduced a malicious dependency that executes during installation and deploys a cross‑platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform‑specific second‑stage payloads. After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection.
Sophos observations
Activity related to this …
March 31, 2026
Author - Sophos Logo
Written by Sophos Counter Threat Unit Research Team
Axios npm package compromised to deploy malware - featured image
Threat Research
advisory
NPM
Axios
Copy linkLink Copied
X (Twitter) logo
LinkedIn logo
Facebook logo
On March 30, 2026, a supply chain security attack targeted Axios, a widely used JavaScript HTTP client for web and Node.js applications. Third-party researchers identified that Axios versions 1.14.1 and 0.30.4 published to the npm registry were compromised following the apparent takeover of a legitimate maintainer account. An attacker published unauthorized package updates that appeared legitimate.
The affected releases introduced a malicious dependency that executes during installation and deploys a cross‑platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform‑specific second‑stage payloads. After execution, the malware attempts to remove installation artifacts and replaces its own package metadata with a clean version to evade forensic detection.
Sophos observations
Activity related to this …