Axios npm Compromised in Supply Chain Attack, Malicious Versions Detected

A Supply Chain attack has targeted the :contentReference[oaicite:0]{index=0} library on npm, with malicious versions published that directly affect developers.

Affected Versions

• axios@1.14.1 and axios@0.30.4

What Happened?

An attacker compromised a maintainer account and published versions including a malicious dependency: plain-crypto-js@4.2.1. This dependency is not used by Axios itself, but executes via a postinstall script, allowing malicious code to run automatically after installation on local machines or CI/CD.

What Does the Malicious Code Do?

• Installs and runs a Remote Access Trojan (RAT).
• Executes system commands via execSync.
• Accesses files (fs) and system info (os).
• Drops malicious files (e.g., in ProgramData on Windows).
• Hides traces by renaming or deleting files.

Running these versions may grant full access to your system or environment.

Potential Impact

• Leakage of API keys and tokens.
• Compromised CI/CD pipelines and servers.
• Unauthorized system control.
• Exposure of sensitive project data.

What Should You Do Now?

1. Use a safe version: axios@1.14.0 or axios@0.30.3
2. Reinstall dependencies:

rm -rf node_modules package-lock.json
npm install

3. Ensure the malicious package is not present: plain-crypto-js
4. Rotate all credentials: API keys, access tokens, SSH keys
5. Treat any environment that ran npm install recently as potentially compromised

Unexpected postinstall scripts in unused dependencies are a strong red flag.

Important Note

npm install axios@latest

Avoid using latest for now. Use a pinned version such as: axios@1.14.0

Conclusion

This incident highlights the risks of supply chain attacks and reinforces the importance of version pinning, dependency auditing, and avoiding blind trust in widely used packages.