Malicious versions of axios (1.14.1 and 0.30.4) were published to npm after an attacker compromised a maintainer's credentials and changed the account email. Both versions inject a fake dependency (plain-crypto-js) that executes a cross-platform remote access trojan dropper on install, then self-deletes to evade detection. Any developer using these specific versions in the attack window should check for infection and upgrade immediately.
Safety
Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan
Attackers compromised axios on NPM to deploy a self-deleting RAT dropper through versions 1.14.1 and 0.30.4, exposing the supply chain to cross-platform remote access compromise.
Tuesday, March 31, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
safety
/// RELATED
Products6d ago
Zed 1.0
Zed code editor reaches 1.0 after five years with custom GPU-accelerated rendering (GPUI) and launches DeltaDB, a CRDT engine enabling real-time human-AI code collaboration.
Infrastructure6d ago
Tangled – We need a federation of forges
Tangled proposes a federated forge architecture using git + AT protocol to decentralize code hosting across independent servers, eliminating OSS's overreliance on GitHub.