Malicious axios versions 1.14.1 and 0.30.4 were published via a hijacked maintainer account. A hidden dependency deploys a cross-platform RAT. Check if you are affected and remediate now.

Aikido Security

The npm account of axios lead maintainer jasonsaayman was hijacked, resulting in two malicious versions (1.14.1 and 0.30.4) being published on March 31. Both versions inject a hidden dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux. The malware self-destructs after execution, making post-infection node_modules inspection ineffective. With ~100 million weekly downloads, this ranks among the most impactful npm supply chain attacks ever. Affected users should pin to safe versions (1.14.0 or 0.30.3), remove plain-crypto-js, rotate all credentials, and audit CI/CD logs. Indicators of compromise, file system artifacts, and network IOCs are provided for detection.

axios compromised on npm: maintainer account hijacked, RAT deployed