Most developers install dependencies without thinking twice. A quick npm install (the command used to download code packages into a project) and the work continues. But on March 31, that routine step briefly became a security risk.
Two compromised versions of Axios, one of the most widely used JavaScript libraries, were published on npm, exposing developers to malware through what appeared to be legitimate updates.
Axios is a core part of modern JavaScript development. It is used to send and receive data in applications, from frontends to backend services and APIs. Because of how widely it is used, a single compromised release can spread quickly across thousands of projects.
How the Attack Worked
That is exactly what happened. Security researchers at StepSecurity discovered that two versions of Axios — 1.14.1 and 0.30.4 — had been published using the compromised credentials of a project maintainer. At first glance the releases looked legitimate because they came from the maintainer’s npm account and appeared in the official package history.
According to StepSecurity, the attacker avoided modifying the Axios code itself. Instead, they quietly added a new dependency designed to run malware during installation.
“This attack did not place malicious code inside the Axios source code,” StepSecurity researchers explained in their analysis. “Instead, a dependency was injected whose only purpose was to execute a post-install script that deploys a cross-platform remote access trojan.”
The inserted package, plain-crypto-js@4.2.1, was never referenced anywhere in the Axios codebase. Its sole purpose was to trigger a script when developers installed the package. Once activated, the script downloaded malware capable of running on Windows, macOS, and Linux systems.
StepSecurity said the malware contacted a remote command-and-control server to retrieve additional payloads tailored for the victim’s operating system.
“The dropper contacts a live command-and-control server and delivers platform-specific second-stage payloads,” the researchers noted. “After execution, the malware deletes itself and replaces its own package metadata with a clean version to hide evidence of the compromise.”
Timeline of the Attack
The attack itself was carefully staged. Nearly a full day before the malicious Axios versions appeared, the attacker uploaded a harmless version of the fake dependency to npm. StepSecurity said this step helped establish a publishing history for the package and reduced the chance that automated scanners would flag it as suspicious.
Late on March 30, the dependency was updated with the malicious payload. Shortly after midnight on March 31, the compromised Axios versions were released, first targeting the modern 1.x branch and then the older 0.x branch less than an hour later.
“By publishing malicious releases across both branches, the attacker maximised the number of projects that could be exposed,” StepSecurity said.
How developers can stay safe
Developers who installed axios@1.14.1 or axios@0.30.4 during that window are advised to treat affected systems as potentially compromised. StepSecurity recommends downgrading to axios@1.14.0 or axios@0.30.3, rotating credentials used on affected machines, and reviewing network logs for suspicious connections.
The incident adds to a growing list of supply-chain attacks targeting open-source software. As development ecosystems grow more interconnected, security researchers warn that trusted packages are becoming attractive targets. “Because Axios is used in such a large portion of the JavaScript ecosystem, even a brief compromise can have a wide blast radius,” StepSecurity said.
Ogbonda Chivumnovu
