Key moments
In a significant cybersecurity incident, two malicious versions of the popular JavaScript HTTP client library axios were published on npm on March 31, 2026. The versions, v1.14.1 and v0.30.4, were live for approximately 2 hours and 53 minutes and 2 hours and 15 minutes, respectively, before being removed. This alarming breach was executed using compromised credentials from a lead maintainer of axios, raising serious concerns about the security of widely used open-source software.
The immediate circumstances surrounding the attack reveal that the malicious packages included a dependency known as plain-crypto-js@4.2.1, which was designed to evade detection by appearing legitimate. The attack was pre-staged over an 18-hour period before the malicious versions were made available to unsuspecting developers. During this time, the attacker changed the maintainer’s account email to an anonymous ProtonMail address, further obscuring their identity and intentions.
Axios is not just any library; it boasts over 100 million weekly downloads and is utilized in approximately 80% of cloud and code environments. This widespread usage underscores the potential impact of the attack, which was detected by StepSecurity’s AI Package Analyst and Harden-Runner tools. The malicious versions were observed to execute in 3% of affected environments, indicating that while the attack was contained, it still posed a significant risk to users who had inadvertently installed the compromised packages.
As organizations scramble to assess the fallout, experts are emphasizing the need for immediate audits of environments to check for potential execution of the malicious versions. “Organizations are strongly advised to audit their environments for potential execution of these versions,” a cybersecurity expert stated, highlighting the urgency of the situation. The attack has been described as “among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” further illustrating the gravity of the breach.
Interestingly, despite the malicious activity, it is crucial to note that there are “zero lines of malicious code inside axios itself,” which makes this attack particularly dangerous. The connection to the malicious packages was automatically flagged as anomalous due to its unprecedented nature in any prior workflow run, showcasing the importance of robust monitoring systems in detecting such threats.
In the aftermath of the incident, the malicious versions were swiftly removed from npm shortly after their discovery, but the implications of this attack extend beyond just the immediate threat. With over 12,000 public repositories utilizing StepSecurity’s Harden-Runner, the vulnerability landscape is vast, and the need for enhanced security measures in the open-source community is more pressing than ever.
As the dust settles, the axios community and its users are left grappling with the ramifications of this breach. The incident serves as a stark reminder of the vulnerabilities inherent in software supply chains and the critical need for vigilance in maintaining the integrity of widely used libraries. Details remain unconfirmed regarding the full extent of the attack and whether any further measures will be implemented to prevent similar incidents in the future.
