A supply chain attack is targeting the axios JavaScript library via malicious packages in the NPM registry, deploying a remote access trojan that steals credentials and maintains persistence across Windows, macOS, and Linux systems. The article does not provide specific affected or fixed version numbers, a CVSS score, or a direct workaround. It emphasizes the widespread risk due to axios's massive usage and urges immediate review of CI/CD pipelines and dependency management to detect and mitigate the compromise.
A critical supply chain attack is unfolding involving the widely used JavaScript library axios. Malicious packages were introduced into the NPM ecosystem, deploying a remote access trojan (RAT) capable of stealing credentials and maintaining persistent access across Windows, macOS, and Linux systems. With over 100 million downloads per week, axios is embedded across web applications, backend services, and automated build pipelines worldwide. Even a short exposure window can have widespread impact across organizations. This incident validates warnings shared by SANS expert Joshua Wright at RSA Conference 2026 just days ago, highlighting how attackers are increasingly targeting trusted software components to achieve scale. SANS is hosting an emergency technical livestream to break down what happened and what defenders must do now. What you will learn: How the axios supply chain compromise occurred Why this attack is more dangerous than it initially appears How malicious packages enabled credential theft and persistent access The hidden risks in CI/CD pipelines and automated dependency updates How to reduce exposure in your CI/CD environments Indicators of compromise and how to detect them Immediate mitigation and response steps Speaker: Rich Greene, Certified Instructor, SANS Institute Joshua Wright, Faculty Fellow and Senior Technical Director, SANS Institute | Counter Hack Innovations