Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 30–31, 2026, after an attacker hijacked the primary maintainer's npm account. The attack introduced a fake dependency (plain-crypto-js@4.2.1) containing an obfuscated postinstall script that deployed a cross-platform remote access trojan on developer machines. The attack was highly sophisticated: the attacker pre-published a clean version of the fake package to avoid detection, then released the weaponized version across both axios release branches within 39 minutes. Laravel has responded by pinning axios to safe versions, running installs with --ignore-scripts by default, and blocking the attacker's domain on Laravel Cloud. Developers who installed the affected versions should treat their machines as compromised, remove the packages, rotate credentials, and consider reformatting affected systems.
Table of contents
# What Happened# How the Attack Worked# How this affects Laravel# What You Should DoSort: