vulnerability

Axios NPM Supply Chain Compromise: Remote Access Trojan (RAT) via Malicious Versions 1.14.1 and 0.30.4

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Mar 31, 2026	Apr 7, 2026	Apr 7, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Mar 31, 2026

Added

Apr 7, 2026

Modified

Apr 7, 2026

Description

The popular HTTP client library 'axios' was subject to a supply chain attack on March 31, 2026. After compromising a maintainer's NPM account, an attacker published two malicious versions: [email protected] and [email protected].
These versions contain a "phantom dependency" called 'plain-crypto-js' (version 4.2.1), which is a typosquatted version of the legitimate 'crypto-js' library. When these versions of axios are installed, the malicious dependency executes a 'postinstall' script that downloads and executes a platform-specific Remote Access Trojan (RAT).
The RAT targets Windows, macOS, and Linux environments, granting the attacker full remote control over the infected machine. The script also includes anti-forensic capabilities, deleting itself and modifying the local package.json to hide the presence of the malicious dependency after the initial infection.

Solution

axios-supply-chain-march-2026

References

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report