Axios Supply Chain Attack: Malicious npm Versions Deploy RAT

Alex Reeve March 31, 2026

2 min read

Hackers hijacked the npm account of Axios lead maintainer jasonsaayman Tuesday to publish malicious versions of the popular JavaScript library. Versions 1.14.1 and 0.30.4 injected a hidden dependency that deploys a cross-platform remote access trojan (RAT). The npm registry removed the packages within three hours. Anyone who ran npm install or update during the window of 00:21 to 03:15 UTC is likely compromised.

Hackers hijacked the npm account of Axios maintainer jasonsaayman to publish malicious versions 1.14.1 and 0.30.4 on Tuesday.
The compromised window lasted three hours, potentially affecting a portion of the 100 million weekly downloads recorded by the Axios library.
Poisoned packages install a remote access trojan via the plain-crypto-js dependency, forcing developers to rotate all SSH keys and cloud credentials.

Listen to this article

Hijacked Credentials and Postinstall Payloads

Attackers compromised jasonsaayman’s account and changed the registered email to ifstap@proton.me. They bypassed the project’s GitHub Actions CI/CD to manually publish the poisoned versions. The attack added a single hidden dependency: plain-crypto-js@4.2.1.

A postinstall script in the malicious package executes automatically during installation. The script contacts a command-and-control server to download platform-specific payloads for Windows and macOS, along with Linux. Resulting malware grants attackers arbitrary code execution capability. Socket.dev and StepSecurity confirmed the RAT targets SSH keys, API tokens, and cloud access credentials.

Axios sees 80 million to 100 million weekly downloads. Millions of production systems in fintech and crypto platforms rely on the library for API calls. Projects using caret ranges in their package.json files may have auto-updated to the malicious versions.

Expert Warning and Mitigation

Feross Aboukhadijeh, founder of security firm Socket, urged developers to take immediate action following the discovery. “npm has removed the malicious versions,” Aboukhadijeh posted on X. “If you installed either before takedown, assume compromise. Rotate credentials.”

Advertisement · Press Release

Genuine News Deserves Honest Attention.

High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.

👉 Submit Your PR

Security experts recommend rotating all SSH keys, database passwords, and cloud tokens. Access logs should be audited for unusual data exfiltration or privilege changes. node_modules should be checked for plain-crypto-js.

Registry officials at npm have suspended the compromised account and deprecated the malicious versions. The registry has signaled plans for mandatory two-factor authentication for maintainers of high-impact packages starting in the second quarter of 2026.

Chain Street’s Take

The Axios breach illustrates the fragility of open-source infrastructure. Attackers no longer need to find a zero-day vulnerability in Axios source code: they only need to compromise the credentials of a single volunteer maintainer.

Dependency hygiene is no longer an elective practice for enterprise developers. Proactive pinning of versions and the use of automated scanning tools are now requirements for production security. If you installed the affected versions today, the machine is no longer yours. Rotate everything.

CHAIN STREET INTELLIGENCE

Activate Intelligence Layer

Institutional-grade structural analysis for this article.

FAQ

Frequently Asked Questions

What is the Axios supply chain attack?

The Axios supply chain attack is a credential hijacking incident targeting the lead maintainer of a popular JavaScript HTTP client. Attackers published malicious versions 1.14.1 and 0.30.4 containing a hidden dependency called plain-crypto-js. The plain-crypto-js dependency executes a postinstall script to deploy a remote access trojan on Windows, macOS, and Linux systems.

Why does this matter for fintech and crypto?

Financial platforms rely heavily on Axios for processing API calls and managing sensitive transaction data. Compromised systems allow the RAT to steal SSH keys, API tokens, and cloud access credentials from production environments. A breach of this scale can lead to unauthorized fund transfers or massive data exfiltration from secure fintech infrastructure.

How did attackers execute this breach?

Threat actors compromised jasonsaayman's npm account and changed the registered contact email to a Proton address. They manually published the poisoned library versions between 00:21 and 03:15 UTC on Tuesday, bypassing GitHub Actions CI/CD protocols. Registry officials at npm removed the malicious packages and deprecated the affected versions within three hours of the initial publication.

What are the risks of using automated dependency updates?

Projects using caret ranges in their package.json files automatically download the latest minor or patch versions during build processes. Automated updates allow malicious code to enter production environments without manual review or security audits. Security firm Socket noted that automated updates turn a single compromised maintainer into a widespread enterprise vulnerability.

What happens next for npm security?

The npm registry plans to implement mandatory two-factor authentication for maintainers of high-impact packages starting in the second quarter of 2026. Developers must audit their node_modules for the plain-crypto-js package and rotate all infrastructure secrets immediately. Enterprise teams will likely shift toward pinning exact versions and using automated scanning tools to prevent future supply chain incursions.