What happened to the axios npm package?

Two versions (1.14.1, 0.30.4) published via hijacked maintainer. Added RAT via plain-crypto-js dep. Live two hours, yanked by 03:29 UTC March 31, 2026.

Is my machine safe if I installed axios recently?

Check lockfile/package-lock.json for those versions or plain-crypto-js@4.2.1. No postinstall traces left, but audit secrets, scan for sfrclak[.]com traffic.

How to prevent npm supply chain attacks?

Pin versions, use lockfiles, enable 2FA everywhere, audit deps with Snyk/Socket. Consider npm audit fix, but verify.

🔒 Security & Privacy

Axios npm Package Serves Up RATs: The Two-Hour Nightmare That Could've Been Yours

Imagine your build server phoning home to hackers. Axios, with 100M+ weekly downloads, just lived that horror for two hours.

theAIcatchup Apr 07, 2026 3 min read

Warning alert on npmjs.com showing compromised axios package versions

⚡ Key Takeaways

Axios maintainer compromised, injecting RAT via sneaky dependency—no source changes needed. 𝕏
Self-erasing malware hit Mac, Windows, Linux; C2 grabbed platform payloads. 𝕏
npm needs maintainer 2FA mandates—history says it won't happen soon. 𝕏

Published by

theAIcatchup

Community-driven. Code-first.

#axios npm #javascript malware #remote-access-trojan

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Snyk Blog

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

React Server Components' Perfect-Score RCE Flaw Exposes Millions of Apps

Anthropic's One-Line Fumble Leaks Billions in Code

SSL Certificates Shrink to 47 Days: The Forced March to Automation

Warden v2.0: Free CLI That Sniffs Out Malicious npm Packages in Seconds

Stay in the loop