NewsPackage Ninja

Security Research / Axios npm Compromise

The Axios npm Supply Chain Compromise

A trusted HTTP client became a distribution channel after a maintainer account was compromised and malicious Axios versions were published to npm.

March 31, 202610 min readMaintainer compromise
Axios logo intelligence briefing card for the poisoned update incident.

Affected package

Axios

widely used JavaScript HTTP client

Malicious versions

2

axios@1.14.1 and axios@0.30.4

Payload path

postinstall

`plain-crypto-js` triggered install-time execution

Attribution

Sapphire Sleet

Microsoft attribution to a North Korean state actor

Executive Summary

Security reporting from ArmorCode and Microsoft says an Axios maintainer account was compromised and malicious versions `axios@1.14.1` and `axios@0.30.4` were published. The packages introduced `plain-crypto-js`, which executed install-time code and retrieved cross-platform RAT payloads from attacker infrastructure.

Threat profile

Axios is trusted precisely because it is boring infrastructure. That trust is what made the hijack dangerous: many projects allow dependency updates to flow through CI because the package name itself looks safe.

The malicious release did not need to rewrite application logic. It added a dependency that existed to run at install time, before the application ever imported Axios.

Technical root cause

ArmorCode reports that an Axios maintainer npm account was hijacked and two malicious versions were published. Microsoft reports the malicious packages injected `plain-crypto-js@4.2.1`, a fake runtime dependency that used post-install execution to fetch second-stage RAT payloads.

The practical failure is release trust. A newly published version from a trusted maintainer account can be operationally riskier than an unknown package if the build pipeline automatically accepts fresh releases without signature, age, or provenance checks.

Why signature and age matter

A release cooldown would have reduced blast radius because the poisoned versions were short-lived. A signature anchor would have forced the update to prove it matched the organization-controlled release identity, not just a compromised npm credential.

Lockfiles, script suppression, and day-zero package quarantine are boring controls, but this incident shows they directly protect production build servers.

Ninja Containment

Release Cooldown + Signature Anchor

Package Ninja blocks newly published high-blast-radius dependency updates unless they pass provenance, signature, and organization-trust checks.

Quarantine releases published inside a configurable cooldown window.

Require trusted publishing or an organization signature for critical packages.

Block install-time scripts from untrusted day-zero updates.

Alert when a trusted package gains an unexpected new dependency with lifecycle hooks.

Sources

The March 2026 Axios NPM Supply Chain AttackArmorCodeMitigating the Axios npm supply chain compromiseMicrosoft Security BlogGHSA-fw8c-xr5c-95f9: Malware in axiosGitHub Advisory Database