On March 31, 2026, two versions of the Axios library were compromised and found to contain a Remote Access Trojan. The malicious packages were published through a hijacked maintainer account. The Axio

InfoQ is a leading online platform for software developers, architects, and technical leaders, providing news, articles, presentations, and interviews on a wide range of topics, including agile practices, DevOps, microservices, and emerging technologies. With a focus on quality content and expert insights, InfoQ helps professionals stay informed about the latest trends, best practices, and industry developments. Developers can learn from real-world experiences, gain  knowledge, and connect with peers in the global software community through InfoQ's diverse and engaging content.

InfoQ

On March 31, 2026, two versions of the Axios npm library (axios@1.14.1 and axios@0.30.4) were compromised via a hijacked maintainer account and found to contain a Remote Access Trojan. The malicious packages included a poisoned transitive dependency (plain-crypto-js@4.2.1), a typosquat of crypto-js. Socket's automated scanner detected the threat within six minutes. Projects using unpinned caret ranges silently pulled in the malware. The Axios team has deprecated the affected versions and is investigating a long-lived npm token as the likely attack vector. Security experts recommend pinning dependencies, setting ignore-scripts=true in .npmrc, and considering leaner HTTP client alternatives like fetch, got, or ky.

Axios npm Package Compromised in Supply Chain Attack