{"id":51450,"date":"2026-04-01T14:33:29","date_gmt":"2026-04-01T18:33:29","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=51450"},"modified":"2026-04-01T14:33:29","modified_gmt":"2026-04-01T18:33:29","slug":"axios-compromised-on-npm","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2026\/04\/01\/axios-compromised-on-npm\/","title":{"rendered":"axios Compromised on NPM"},"content":{"rendered":"

Ashish Kurmi<\/a> (Hacker News<\/a>):<\/p>\n

\n

axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used axios<\/code> HTTP client library published to npm: axios@1.14.1<\/code> and axios@0.30.4<\/code>. The malicious versions inject a new dependency, plain-crypto-js@4.2.1<\/code>, which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall<\/code> script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json<\/code> with a clean version to evade forensic detection.<\/p>\n<\/blockquote>\n\n

Carly Page<\/a>:<\/p>\n

\n

The releases didn’t come through the project’s usual build process either. Security firm StepSecurity<\/a> found that both versions were published via the compromised npm account of “jasonsaayman,” the project’s primary maintainer, who was reportedly<\/a> locked out of the account while the packages were being pushed.<\/p>\n

The attackers swapped the account’s email address for an anonymous ProtonMail inbox and pushed the infected packages manually via the npm CLI, completely bypassing the project’s GitHub Actions CI\/CD pipeline and the safeguards developers tend to assume are in place.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n