Axios npm Hack 2026: Hidden RAT Discovered, Systems Compromised
In March 2026, the developer community was shaken when Axios , one of the most popular npm packages, suffered a serious supply chain attack . Some developers reported unauthorized system access , and security teams worldwide scrambled to lock down CI/CD pipelines as a safety step.
What Exactly Happened?
According to official security advisories, a threat actor gained access to a maintainer's account and published compromised versions. The attack was active until the malicious packages were detected and removed from the npm registry.
The breach was linked to a hidden malicious dependency named plain-crypto-js injected into specific Axios versions.
Security researchers later said that thousands of automated build systems and developers were potentially impacted.
What Systems & Data Were at Risk?
| Compromised Element | Status |
|---|---|
| axios@1.14.1 | Infected |
| axios@0.30.4 | Infected |
| System Files | Exposed |
| Environment Variables (API Keys) | Exposed |
| Terminal Control | Exposed |
This type of access can be used for data theft , deploying ransomware, and moving laterally within corporate networks.
Was the Malware Executed?
Yes. A number of automated builds and developer machines triggered the payload.
- Post-install scripts ran automatically
- A RAT (Remote Access Trojan) was installed
- Connections to attacker C2 servers were established
The npm security team confirmed that the affected package versions were swiftly taken down.
What Should Developers Do Now?
-
Check your
package-lock.jsonimmediately - Remove the affected Axios versions
-
Delete your
node_modulesfolder - Rotate all exposed API keys and environment variables
-
Use
npm ciinstead of install - Consider locking down pre/post-install scripts
Never blindly trust dependency updates. Always use lock files and monitor network activity during builds.
Why This Attack Matters
Even though the malicious versions were caught relatively quickly, this incident shows how dangerous supply chain attacks can be in modern web development.
When widely-used libraries are compromised, security across millions of applications must be questioned.
The good news is that the community and registry maintainers acted quickly once the issue was discovered.
Frequently Asked Questions
How many users were affected?
Thousands of downloads occurred before the packages were removed, potentially impacting numerous developers.
Did Axios' source code get hacked?
No, the core source repository was not altered. An unauthorized maintainer published modified versions directly to the npm registry.
Were API Keys stolen?
The RAT had full system access, meaning any API keys stored locally in environment variables could have been compromised.
What is plain-crypto-js?
It was the hidden malicious dependency designed to execute the post-install script and install the RAT.
Can attackers use the RAT for ransomware?
Yes, full remote access allows attackers to install ransomware, steal source code, or pivot into production networks.
Should all Axios users worry?
Only those who installed the specific compromised versions (1.14.1 and 0.30.4) during the attack window are at risk.
