Skip to content
Tech News
← Back to articles

Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan

2026-03-31 | original
read original get NPM Security Monitoring Tool → more articles
Why This Matters

The recent compromise of popular axios versions on npm highlights the growing threat of supply chain attacks in the tech industry. Malicious packages can silently deliver remote access trojans, putting developers and organizations at risk of data breaches and system infiltration. This incident underscores the importance of vigilant package management and prompt security updates for consumers and the industry alike.

Key Takeaways

On March 31, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: [email protected] and [email protected] . Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline. The attacker changed the maintainer's account email to an anonymous ProtonMail address and manually published the poisoned packages via the npm CLI.

The malicious versions inject a new dependency, [email protected] , which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.

Neither malicious version contains a single line of malicious code inside axios itself. Instead, both inject a fake dependency, [email protected], a package that is never imported anywhere in the axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT). The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json with a clean decoy, leaving a developer who inspects their node_modules folder after the fact with no indication anything went wrong.

If you have installed [email protected] or [email protected] , assume your system is compromised. Pin to the safe versions: [email protected] (1.x branch) or [email protected] (0.x branch). Rotate all secrets and credentials on affected machines and check network logs for connections to the indicators of compromise listed below.

We are actively investigating this incident and will update this post with a full technical breakdown, including malware analysis, indicators of compromise, and detailed remediation guidance. Stay tuned.

We performed full static and runtime analysis of the malicious packages, including complete decoding of the obfuscated dropper. The malware self-destructs after execution and replaces its own package.json with a clean stub, actively concealing evidence of the attack from post-infection inspection.

Attack Timeline

The attack was pre-staged across roughly 18 hours, with the malicious dependency seeded on npm before the axios releases to avoid “brand-new package” alarms from security scanners:

2026-03-30 — 05:57 UTC

[email protected] published by [email protected] — a clean decoy containing a full copy of the legitimate crypto-js source, no postinstall hook. Its sole purpose is to establish npm publishing history so the package does not appear as a zero-history account during later inspection.

... continue reading

Explore topics: npm axios malware protonmail remote access trojan
Related:
Android Developer Verification
Hackers are using fake coding jobs to spread malware through GitHub
If Google is serious about Android scams, there’s a bigger problem than sideloading
MacOS 26.4 Adds Warnings For ClickFix Attacks to Its Terminal App
Pretext: TypeScript library for multiline text measurement and layout

© 2026 GoKawiil

About | Editorial Policy | Contact