axios Compromised on NPM
axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used
axiosHTTP client library published to npm:axios@1.14.1andaxios@0.30.4. The malicious versions inject a new dependency,plain-crypto-js@4.2.1, which is never imported anywhere in the axios source code. Its sole purpose is to execute apostinstallscript that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its ownpackage.jsonwith a clean version to evade forensic detection.
The releases didn’t come through the project’s usual build process either. Security firm StepSecurity found that both versions were published via the compromised npm account of “jasonsaayman,” the project’s primary maintainer, who was reportedly locked out of the account while the packages were being pushed.
The attackers swapped the account’s email address for an anonymous ProtonMail inbox and pushed the infected packages manually via the npm CLI, completely bypassing the project’s GitHub Actions CI/CD pipeline and the safeguards developers tend to assume are in place.
Previously:
1 Comment RSS · Twitter · Mastodon
I need help here. 100,000,000 weekly downloads? For what? within 2 years you have the entire human population covered. If you exclude infants and all other humans who aren't developers you end up with about... maybe 30+ copies per developer in a single year?
I understand the seriousness of this issue. It's this baseless claim (at least there wasn't a link or footnote) of how many weekly downloads that has me shaking my head.
