Axios, a hugely popular JavaScript library with 100 million weekly downloads, has been hit by a critical supply chain attack. In a recurring open-source security crisis, developers unknowingly pulled a remote-access trojan from compromised releases.
The lead maintainer of axios, one of the most popular NPM packages, had his account hijacked, allowing attackers to publish new axios releases containing malware. Cybersecurity researchers are alerting developers not to upgrade and check for potential compromise.
Axios is a JavaScript library to make HTTP requests from browsers and Node.js environments, used in millions of projects to simplify communication with APIs. Developers favor it for built-in data transformation, request cancellation, timeout controls, and error handling.
The poisoned axios releases include versions 1.14.1 and 0.30.4. They include a new dependency “[email protected],” which executes a post-install script dropping a remote access trojan (RAT) targeting major OSes: Linux, macOS, and Windows. The RAT pulls second-stage malware from an attacker-controlled server.
“Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline. The attacker changed the maintainer's account email to an anonymous ProtonMail address and manually published the poisoned packages via the npm CLI,” StepSecurity said in a new research about the axios compromise.
The implications are devastating. According to Feross Aboukhadijeh, a security expert and founder and CEO of Socket Security, axios is one of NPM’s most depended-on packages.
“This is textbook supply chain installer malware. Axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.” Aboukhadijeh posted on X.
At the time of writing, the malicious versions have been removed. However, security researchers still recommend developers pin their dependencies to the known safe versions.
Over the past month, a domino effect of supply chain attacks has brought down major repositories. A threat actor, TeamPCP, infiltrated Trivy, a popular security tool, which led to the compromise of LiteLLM, a very popular Python library. Later, the hackers injected malware into Telnyx.
It remains unclear whether the axios attack is related to earlier compromises, but each successful breach hands attackers fresh credentials and initial access to further repositories.
Carefully prepared attack
StepSecurity researchers noted that the axios attack was not opportunistic, and the malicious dependency was staged 18 hours in advance.
“Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package,” the report reads.
To publish malicious packages, the attacker used the compromised NPM account of “jasonsaayman,” who is the primary maintainer of the axios project. This made the releases indistinguishable from legitimate ones. The attacker changed the account's email to their ProtonMail address “ifstap@protonp[.]me.”
“[email protected] had been live for approximately 2 hours 53 minutes; [email protected] for approximately 2 hours 15 minutes,” the researchers noted.
Curious what others think about this story? Contribute your thoughts to the debate below.
The attacker published the packages using a stolen NPM token, bypassing GitHub entirely and skipping automated security checks applied to legitimate releases.
The malicious package “[email protected]” was published using a separate account. It was removed from the NPM registry 4 hours and 27 minutes after it was published.
First victims confirmed
Huntress researchers detected the first infections just 89 seconds after the first malicious package went live.
At least 135 systems belonging to the security company's customers alone were infected during the exposure window of less than three hours.
“Any environment that ran npm install during that window may have executed the payload automatically. Developer workstations and CI/CD runners, which routinely hold SSH keys, cloud credentials, and API tokens, are the highest-value targets here,” warns John Hammond, Senior Principal Security Researcher at Huntress.
The axios maintainer, jasonsaayman, was unaware of the exact method by which the attacker have compromised the account.
“I’m trying to get support to understand how this even happened. I have 2fa / mfa on practically everything I interact with,” jasonsaayman posted on GitHub.
Huntress explains that alongside the secure login method (OIDC, Open ID Connect), the publish workflow still used NPM_TOKEN as an environmental variable, which was abused to publish the malicious code.
“The long-lived token was effectively the authentication method for all publishes, regardless of OIDC configuration,” Hammond said.
What is the malware capable of?
Developers who installed or updated to the compromised axios versions are advised to assume full system compromise.
The added plain-crypto-js dependency, masquerading as another legitimate JavaScript library of crypto standards, contained a postinstall hook, which executes automatically without any user action on every NPM install.
“When a developer runs npm install [email protected], npm resolves the dependency tree and installs [email protected] automatically. npm then executes plain-crypto-js’s postinstall script, launching the dropper,” StepSecurity explains.
The obfuscated loader is designed to cover its tracks – after decoding hidden instructions and running malicious commands in the background, it wipes all traces of itself.
The payloads are platform-specific. On macOS, the malware silently hid a trojan inside a system folder using a filename resembling a legitimate Apple background process. On Windows, malware ran a PowerShell script that downloads the trojan disguised as a Windows Terminal executable. On Linux, the malware was delivered as a Python script.
All three versions communicate with the same command and control infrastructure.
“Our analysis shows the malicious package deploys a multi-stage payload, including a remote access trojan (RAT) capable of executing arbitrary commands, exfiltrating system data, and persisting on infected machines,” the Socket Research Team said in its report.
One of the obtained second-stage payloads for macOS fingerprints the system and contacts the attacker's server every 60 seconds, allowing them to run any command or install additional malware. No crypto stealers or ransomware components were found, suggesting that the attack was not financially motivated.
“At this time, we have not observed any evidence linking this activity to the recently reported TeamPCP campaigns,” the Socket researchers said.
Open Source Malware reports that the malware scans sensitive folders, useful for targeting .ssh, .aws, and other configuration directories.
Developers advised to isolate infected systems
Security researchers recommend that anyone who installed the compromised axios versions immediately remove their systems from the network to prevent any further communication with command and control servers.
The systems should be rebuilt from a known good state, and transitive dependencies should be pinned to specific versions.
“Rotate all credentials on any system where the malicious package ran: npm tokens, AWS access keys, SSH private keys, cloud credentials (GCP, Azure), CI/CD secrets, and any values present in .env files accessible at install time,” the researchers at StepSecurity warn.
Updated on March 31st [10:30 a.m. GMT] with additional information from Huntress.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked