Two malicious versions of axios (1.14.1 and 0.30.4) were published to npm on March 31, 2026 after an attacker compromised the lead maintainer's account via social engineering and RAT malware. The malicious versions injected a remote access trojan via a fake dependency (plain-crypto-js@4.2.1) and were live for ~3 hours. Anyone who ran a fresh install between 00:21–03:15 UTC should treat their machine as compromised and rotate all credentials.
Safety
Post Mortem: axios NPM supply chain compromise
Axios maintainer account compromised via RAT malware, injecting remote access trojans into npm versions 1.14.1 and 0.30.4 via fake plain-crypto-js dependency for 3 hours on March 31.
Friday, April 3, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
safety
/// RELATED
Products6d ago
Zed 1.0
Zed code editor reaches 1.0 after five years with custom GPU-accelerated rendering (GPUI) and launches DeltaDB, a CRDT engine enabling real-time human-AI code collaboration.
Infrastructure6d ago
Tangled – We need a federation of forges
Tangled proposes a federated forge architecture using git + AT protocol to decentralize code hosting across independent servers, eliminating OSS's overreliance on GitHub.