Axios npm Supply Chain Attack: Analysis and Response

On 31 March 2026, Axios, a widely used JavaScript library, was compromised in a supply chain attack. Axios is central to many web and mobile applications, with hundreds of millions of downloads weekly.

The Attack Mechanism

Attackers took control of the npm account for the Axios lead maintainer and published two malicious versions: axios@1.14.1 and axios@0.30.4. These were live on the official npm registry before being detected and removed.

The attack utilized a hidden dependency technique. The compromised releases included a package called plain-crypto-js@4.2.1, which was not part of the legitimate Axios codebase.

When developers used npm install, the hidden dependency executed a post-install script acting as a Remote Access Trojan (RAT). This allowed attackers to run commands, connect to a control server, and exfiltrate data from build systems or developer machines.

Supply Chain Risks

This was a supply chain attack because it targeted the ecosystem rather than a library bug. By hijacking a maintainer account, the attackers bypassed code reviews. Developers were compromised without writing any malicious code themselves.

Routine commands like:

npm install axios

could bring in these malicious versions depending on the project's dependency rules.

Governance and Security

As teams use AI tools to generate code and suggest libraries, the risk of installing compromised packages increases. Automation should not replace human verification. Dependencies must be audited, not just accepted because they are popular.

At Responsible AI Australia, we argue that innovation requires vigilance across the entire stack. This includes third-party libraries and build processes.

Immediate Protective Measures

Beyond the standard clean-and-reinstall approach, there are proactive steps you should take to defend your environment against future supply chain compromises:

• Enforce a minimum release age: You can prevent your build system from pulling in brand-new (and potentially unverified) packages by adding min-release-age=7 to your .npmrc file. This creates a 7-day "quarantine" period for new releases, allowing the community and security tools time to flag malicious versions.
• Protect your Pull Requests: Use the Socket for GitHub integration. It is a free tool that scans dependencies in real-time as they are added to PRs, blocking those with known security risks or suspicious behaviors before they hit your main branch.
• Secure your local environment: Install the Socket Firewall (also available for free). It acts as a shield for your laptop, preventing malicious dependencies from making unauthorized network calls or exfiltrating data during development.

Recommended Actions

1. Audit and pin dependencies: Use exact versions in your package.json instead of ranges.
2. Review lockfiles: Check package-lock.json or yarn.lock for malicious versions (1.14.1 or 0.30.4) and the plain-crypto-js dependency.
3. Clean and reinstall: Delete node_modules and reinstall from a safe state.
4. Rotate credentials: If your environment was exposed, rotate API keys, SSH keys, and tokens immediately.
5. Use scanning tools: Use tools that flag unusual dependencies or install-time scripts.

The Axios incident proves that modern development is only as strong as its weakest link. Popularity does not equate to security. Responsible development requires that teams build safely, transparently, and with intentional oversight.