On March 31, 2026, two malicious versions of the axios package were published to npm (axios@1.14.1 and axios@0.30.4). These packages contained remote access trojan (RAT) malware designed to provide access to the systems of anyone who installed the malicious version of the software.
Inside the Attack
The day before they launched the attack, the attacker published a clean package named plain-crypto-js@4.2.1 to npm that was designed to imitate the crypto-js library. The following day, this package was updated to contain the RAT malware.
The attacker compromised a long-lived npm access token for jasonaayman, the account that managed the axios package. While the account in question had OpenID Connect (OIDC) Trusted Publishing enabled, the GitHub Actions passed both the OIDC credentials and NPM_TOKEN environment variable when publishing. By default, npm uses the npm token when available, allowing the attacker to bypass the OIDC Trusted Publishing configuration.
With the stolen credentials, the attacker pushed two new versions of the axios package to npm using the npm CLI. These were modified to include the malicious plain-crypto-js packages as a dependency within package.json. Since the packages were pushed to npm directly, they didn’t show up on GitHub, and the fact that package.json was the only thing modified meant that the source code was unchanged, evading detection by diff-based analysis.
By pushing malicious versions with both the latest and legacy tags, the attacker ensured that anyone installing axios using npm install would receive the malicious version. During the installation process, the post-install hook for the plain-crypto-js library would be executed, installing the RAT.
The RAT checked the current OS and executed specific logic for Windows, macOS, and Linux. All versions collected information about the filesystem and running processes and exfiltrated it to the attacker. In general, the goal was to steal additional credentials, which would allow the attacker to similarly infect other packages.
The malicious update was quickly detected, but the attacker reset the email address for the compromised account to one that they controlled, locking out the legitimate developer. The malicious code was removed by npm 2 hours and 54 minutes after release. On average, the axios package received about 100 million downloads each week, making it one of the most widely used HTTP client libraries in JavaScript.
Lessons Learned from the Attack
The Axios attack is the latest in a series of similar campaigns targeting legitimate open-source code. Two other repositories using the same malicious dependency include @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130, the latter of which includes a tampered-with version of axios@1.14.1 in its node_modules folder.
Often, developers lack visibility into their software dependencies, especially indirect dependencies that are imported by another module that they have imported. Organizations that may have installed the malicious versions of axios should rotate all potentially impacted credentials and check developer machines and CI/CD pipelines for the presence of the RAT malware.