Meta description: Malicious versions of the Axios npm package (1.14.1 and 0.30.4) were published via a compromised maintainer account, injecting a hidden dependency that deploys a cross-platform remote access trojan. Here's what happened, who's affected, and how to check your exposure.

Snyk's blog is a source of information and advice for developers looking to ensure the security of their software applications. From vulnerability management and secure coding practices to compliance standards and threat intelligence, it covers a wide range of topics relevant to software security. Through practical tips, case studies, and expert commentary, the blog empowers developers to identify and address security vulnerabilities in their code, helping them build and maintain secure software applications in today's threat landscape.

Snyk

Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 via a compromised maintainer account. The packages included a hidden dependency, plain-crypto-js@4.2.1, whose postinstall hook deployed a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux. The dropper used double obfuscation and self-erasing techniques to avoid detection. The malicious versions were live for roughly three hours before removal. Anyone who ran npm install during that window should assume full system compromise, rotate all secrets, isolate affected machines, and rebuild environments. Mitigation advice includes using npm ci with committed lockfiles, enabling --ignore-scripts in CI, and auditing for indicators of compromise including outbound connections to sfrclak[.]com.

Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT

Snyk remediation and how to check your exposure

The bigger picture: Maintainer account security