A compromised maintainer account led to malicious Axios packages deploying a Remote Access Trojan. Here is how the attack unfolded and how to secure your pipelines.
On March 31, 2026, the JavaScript ecosystem experienced a severe shock. Axios, the immensely popular HTTP client with over 100 million weekly downloads, was the victim of a sophisticated software supply chain attack. Threat actors successfully hijacked the npm account of the lead Axios maintainer to distribute persistent malware to developer machines and CI/CD pipelines.
# The Anatomy of the Compromise
The attackers, suspected to be the North Korean threat group UNC1069, bypassed normal GitHub Actions CI/CD workflows by using a stolen, long-lived npm access token. This allowed them to publish two malicious versions of Axios directly to the registry: 1.14.1 (targeting the latest branch) and 0.30.4 (targeting the legacy branch).
- Step 1: Account Takeover - The primary maintainer's npm credentials were hijacked, and the recovery email was changed to an attacker-controlled ProtonMail address.
- Step 2: Pre-staging - Roughly 18 hours before the main attack, a decoy package called 'plain-crypto-js' was published to establish a clean publishing history.
- Step 3: Injection - The malicious 'plain-crypto-js@4.2.1' was added as a phantom runtime dependency into the poisoned Axios releases.
- Step 4: Detonation - A postinstall script within the dependency silently dropped a cross-platform Remote Access Trojan (RAT) targeting macOS, Windows, and Linux.
# The Phantom Dependency Trap
The brilliance and danger of this attack lay in the use of a 'phantom dependency.' The plain-crypto-js package was never actually imported or used anywhere within the Axios source code. Its sole existence in the package.json file was to trigger the npm postinstall hook, delivering the payload and immediately erasing its own forensic evidence by replacing its configuration files with clean decoys.
# Are You Affected?
The poisoned packages were live on the npm registry for approximately three hours. If your automated CI/CD pipelines or developer workstations ran 'npm install' during that window without strict version pinning, your environment is at high risk of compromise.
| Package Version | Status | Action Required |
|---|---|---|
| axios@1.14.0 or older | Safe | Pin to this version |
| axios@1.14.1 | Malicious | Treat environment as fully compromised |
| axios@0.30.4 | Malicious | Treat environment as fully compromised |
# Immediate Remediation Steps
- Audit Lockfiles: Check your package-lock.json or yarn.lock for Axios versions 1.14.1, 0.30.4, or any reference to plain-crypto-js.
- Downgrade and Pin: Immediately downgrade to Axios 1.14.0 or 0.30.3 and enforce strict dependency pinning.
- Rotate Secrets: Assume all environment variables on affected systems were exfiltrated. Rotate NPM tokens, cloud access keys, database credentials, and API tokens.
- Clear Caches: Wipe local and shared npm caches on all workstations and build servers to prevent re-infection.
"This is textbook supply chain installer malware. One compromised maintainer account, and a package that touches millions of systems becomes a weapon."
Written by Admin
Chief Editor
Expert contributor at Paperxify. Sharing insights on engineering, AI systems, and student success.