Overview
A threat actor successfully hijacked the account of the lead maintainer of Axios, one of the most widely used JavaScript libraries for handling HTTP requests. The compromised account was used to publish malicious versions of the package to the NPM registry, embedding a remote access trojan (RAT) capable of targeting Windows, macOS, and Linux devices.
Affected Versions
Security researchers identified two malicious releases:
- Version 1.14.1 — contained the RAT payload
- Version 0.30.4 — also contained the RAT payload
Any developer or automated pipeline that pulled these versions during their availability window may have introduced a backdoor into their build environment or end-user application.
Scale and Impact
Axios reports over 100 million weekly downloads, making it one of the most depended-upon libraries in the JavaScript ecosystem. The breadth of its adoption amplifies the potential blast radius of this supply chain compromise significantly. Affected environments span all major operating systems, increasing the attack surface beyond typical platform-specific threats.
Attack Vector: Account Takeover
Rather than exploiting a vulnerability in the library's code itself, the attacker leveraged an account takeover of the lead maintainer's NPM credentials. This method bypasses traditional code review processes, as the malicious versions were published through a legitimately trusted account. This technique is increasingly favored in supply chain attacks due to the implicit trust developers place in established package maintainers.
Recommendations
- Immediately audit your dependency tree for versions 1.14.1 or 0.30.4 of Axios and remove or downgrade them.
- Scan build environments and deployed systems for indicators of RAT activity or unauthorized remote connections.
- Enable NPM two-factor authentication and monitor for unexpected package publications on all maintained libraries.
- Consider implementing software composition analysis (SCA) tools that flag newly published or updated dependencies before inclusion in builds.
- Review CI/CD pipeline logs for any automated installations of the affected versions.
Broader Context
This incident is consistent with a growing trend of supply chain attacks targeting open-source package registries. High-impact libraries with large download counts are attractive targets, as a single compromised version can propagate malware across thousands of downstream projects simultaneously. Developers and security teams are urged to treat dependency updates with the same scrutiny applied to first-party code changes.
Source: Critical compromise: Axios NPM library with 100M weekly downloads is delivering malware — Cybernews | The Verge