Axios npm Supply Chain Attack: Cross-Platform RAT Delivery via Compromised Maintainer Credentials
Contents
Axios npm Supply Chain Attack: Cross-Platform RAT Delivery via Compromised Maintainer Credentials
LAST UPDATED ON APRIL 01, 2026
On March 31, 2026, automated malware detection systems flagged a live supply chain compromise targeting Axios, the JavaScript ecosystem's most widely adopted HTTP client library with approximately 83 million weekly downloads on npm. The attack injected a cross-platform remote access trojan (RAT) dropper through a malicious transitive dependency, [email protected], into two newly published Axios versions.
This analysis breaks down the compromise, the full attack lifecycle, affected components, and the incident response actions security teams must take immediately.
Nature of the Compromise: Credential Takeover and npm Registry Abuse
This is not a code vulnerability in the Axios source, no CVE applies here, and no flaw in Axios's logic was exploited. Instead, the attack targets a systemic weakness in the npm package ecosystem: the trust boundary between a package maintainer's credentials and the registry's publish pipeline.
The attacker compromised the …
LAST UPDATED ON APRIL 01, 2026
On March 31, 2026, automated malware detection systems flagged a live supply chain compromise targeting Axios, the JavaScript ecosystem's most widely adopted HTTP client library with approximately 83 million weekly downloads on npm. The attack injected a cross-platform remote access trojan (RAT) dropper through a malicious transitive dependency, [email protected], into two newly published Axios versions.
This analysis breaks down the compromise, the full attack lifecycle, affected components, and the incident response actions security teams must take immediately.
Nature of the Compromise: Credential Takeover and npm Registry Abuse
This is not a code vulnerability in the Axios source, no CVE applies here, and no flaw in Axios's logic was exploited. Instead, the attack targets a systemic weakness in the npm package ecosystem: the trust boundary between a package maintainer's credentials and the registry's publish pipeline.
The attacker compromised the …