Post Mortem: axios NPM supply chain compromise

Two malicious versions of the popular Axios library were briefly published to the npm registry on March 31, 2026, following a targeted social engineering attack on a maintainer.

Key Points

Malicious versions 1.14.1 and 0.30.4 were live on npm for approximately three hours before removal.
The compromised packages injected a remote access trojan via the dependency plain-crypto-js@4.2.1.
Affected users are advised to rotate all credentials and secrets on any machine where the malicious versions were installed.
The attacker gained access to the maintainer's npm account after a two-week social engineering campaign.
Future security measures include adopting OIDC publishing flows and implementing immutable release setups to prevent unauthorized access.

Why it Matters

This incident highlights the ongoing vulnerability of the software supply chain when high-impact open-source projects rely on individual maintainer accounts. It serves as a critical reminder for organizations to audit their dependencies and maintain strict security protocols for CI/CD environments.

Post Mortem: axios NPM supply chain compromise

Key Points

Why it Matters

Latest News

The tech news feed
that never sleeps.

Page not found

Post Mortem: axios NPM supply chain compromise

Key Points

Why it Matters

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Lose your laptop, not your data: 7 Windows settings to enable now

Here are the most costly travel scams to watch out for this summer

Latest News

Related Articles

The tech news feedthat never sleeps.

Page not found

The tech news feed
that never sleeps.