CSO Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines Hijacked maintainer account let attackers slip cross-platform trojan into 100M-downloads-a-week Axios Carly Page Tue 31 Mar 2026 // 10:29 UTC One of npm's most widely used HTTP client libraries briefly became a malware delivery vehicle after attackers hijacked a maintainer's account and slipped a remote-access trojan (RAT) into two seemingly legitimate axios releases, in what's being described as "one of the most impactful npm supply chain attacks on record." The poisoned versions, "axios@1.14.1" and "axios@0.30.4," made it onto the npm registry before being yanked, though not before some unlucky devs and CI pipelines pulled them in. Rather than tampering with axios's own code, the intruders took a subtler route, slipping in a dependency that had no business being there and no role in the library's functionality. Axios is a widely used JavaScript HTTP client that developers rely on to send requests between applications and web services. It's embedded in everything from front-end apps to back-end systems and racks up around 100 million downloads each week, meaning even a short-lived compromise can spread quickly. The releases didn't come through the project's usual build process either. Security firm StepSecurity found that both versions were published via the compromised npm account of "jasonsaayman," the project's primary maintainer, who was reportedly locked out of the account while the packages were being pushed. The attackers swapped the account's email address for an anonymous ProtonMail inbox and pushed the infected packages manually via the npm CLI, completely bypassing the project's GitHub Actions CI/CD pipeline and the safeguards developers tend to assume are in place. npmx package browser released as alpha to fix pain of using npmjs PostHog admits Shai-Hulud 2.0 was its biggest ever security bungle Crims poison 150K+ npm packages with token-farming malware Invisible npm malware pulls a disappearing act – then nicks your tokens The added package, "plain-crypto-js@4.2.1," existed purely as a delivery mechanism. Its post-install script phones home, fetches a second-stage payload, and sets about dropping malware tailored to whatever it finds. On macOS it disguises itself as a system daemon, on Windows it leans on PowerShell, and on Linux it falls back to a Python backdoor. It also tries to cover its tracks, clearing out traces that might give the game away. StepSecurity said the campaign showed a level of planning well beyond the usual smash-and-grab npm compromise. "This was not opportunistic," said Ashish Kurmi, the firm's CTO and co-founder. "The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct. This is among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package." The incident also comes during a rough stretch for npm. Campaigns such as "Shai-Hulud" and its follow-up, "Shai-Hulud 2.0," show attackers increasingly targeting the software supply chain itself, seeding malicious packages to siphon credentials, hijack environments, or quietly maintain persistence within developer tooling. Developers who installed either affected version are being urged to act immediately. "If you have installed axios@1.14.1 or axios@0.30.4, assume your system is compromised," Kurmi said. In practice, that means ripping out dependencies, rotating credentials, and, for some, rebuilding machines from scratch. Given how widely axios is used, the cleanup won't be quick. ® Share More about NPM Remote Access Trojan Software More like these × More about NPM Remote Access Trojan Software Supply Chain Trojan Narrower topics AdBlock Plus App Application Delivery Controller Audacity Confluence Database FOSDEM FOSS Grab Graphics Interchange Format IDE Image compression Jenkins Legacy Technology LibreOffice Map Microsoft 365 Microsoft Office Microsoft Teams Mobile Device Management OpenOffice Programming Language QR code Retro computing Search Engine Software Bill of Materials Software bug Software License Supply Chain Security Week Text Editor User interface Visual Studio Visual Studio Code WebAssembly Web Browser WordPress Broader topics Malware Security More about Share POST A COMMENT More about NPM Remote Access Trojan Software More like these × More about NPM Remote Access Trojan Software Supply Chain Trojan Narrower topics AdBlock Plus App Application Delivery Controller Audacity Confluence Database FOSDEM FOSS Grab Graphics Interchange Format IDE Image compression Jenkins Legacy Technology LibreOffice Map Microsoft 365 Microsoft Office Microsoft Teams Mobile Device Management OpenOffice Programming Language QR code Retro computing Search Engine Software Bill of Materials Software bug Software License Supply Chain Security Week Text Editor User interface Visual Studio Visual Studio Code WebAssembly Web Browser WordPress Broader topics Malware Security TIP US OFF Send us news