Ethical Hacking News
A widely used HTTP client library on the npm registry has been compromised by hackers, with attackers slipping a remote-access trojan (RAT) into two seemingly legitimate releases. The attack is being described as "one of the most impactful npm supply chain attacks on record," and developers are urged to act immediately.
AXIOS HTTP client library version 1.14.1 and 0.30.4 were compromised by hackers. The attackers hijacked the maintainer's account, published infected packages manually via npm CLI, bypassing GitHub Actions CI/CD pipeline. A remote-access trojan (RAT) was embedded in the compromised releases, which also included a malicious package named "plain-crypto-js@4.2.1". The attack is considered one of the most impactful npm supply chain attacks on record due to its planning and sophistication. Developers who installed the affected versions are advised to take immediate action, including ripping out dependencies, rotating credentials, and rebuilding machines from scratch.
In a shocking turn of events, one of the most widely used HTTP client libraries on the npm registry, axios, has been compromised by hackers. The attack, which is being described as "one of the most impactful npm supply chain attacks on record," saw attackers hijack the maintainer's account and slip a remote-access trojan (RAT) into two seemingly legitimate releases of the library.
The compromised versions, "axios@1.14.1" and "axios@0.30.4," were published via the compromised npm account of "jasonsaayman," the project's primary maintainer, who was reportedly locked out of the account while the packages were being pushed. The attackers swapped the account's email address for an anonymous ProtonMail inbox and pushed the infected packages manually via the npm CLI, completely bypassing the project's GitHub Actions CI/CD pipeline and the safeguards developers tend to assume are in place.
The added package, "plain-crypto-js@4.2.1," existed purely as a delivery mechanism. Its post-install script phones home, fetches a second-stage payload, and sets about dropping malware tailored to whatever it finds. On macOS it disguises itself as a system daemon, on Windows it leans on PowerShell, and on Linux it falls back to a Python backdoor. It also tries to cover its tracks, clearing out traces that might give the game away.
This level of planning and sophistication is rare in npm supply chain attacks, which are often opportunistic and leave little room for error. The attackers' use of a hijacked maintainer account and manual pushing of the infected packages demonstrates a clear understanding of how the npm registry works and how to exploit its vulnerabilities.
The incident also comes during a rough stretch for npm. Campaigns such as "Shai-Hulud" and its follow-up, "Shai-Hulud 2.0," show attackers increasingly targeting the software supply chain itself, seeding malicious packages to siphon credentials, hijack environments, or quietly maintain persistence within developer tooling.
Developers who installed either affected version are being urged to act immediately. "If you have installed axios@1.14.1 or axios@0.30.4, assume your system is compromised," said Ashish Kurmi, the firm's CTO and co-founder. "Ripping out dependencies, rotating credentials, and, for some, rebuilding machines from scratch" are the only options available to those who have been affected.
In practice, that means ripping out dependencies, rotating credentials, and, for some, rebuilding machines from scratch. Given how widely axios is used, the cleanup won't be quick. It's a sobering reminder of the importance of staying vigilant and taking proactive steps to protect against such attacks.
The incident also serves as a warning to developers and organizations that rely on open-source software. With so much of our digital infrastructure built on top of third-party libraries and frameworks, the risk of supply chain attacks is ever-present. It's up to us to be aware of these risks and take steps to mitigate them.
In conclusion, this attack highlights the need for greater vigilance and cooperation in protecting against such threats. Developers, organizations, and policymakers must work together to create a safer and more secure digital ecosystem. The devastating consequences of this attack will be felt for some time to come, but by learning from it, we can build a better future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Devastating-Consequences-of-a-Compromised-npm-Supply-Chain-A-Cautionary-Tale-of-Remote-Access-Trojan-and-Malware-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
https://www.theregister.com/2026/03/31/axios_npm_backdoor_rat/
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
Published: Tue Mar 31 05:50:15 2026 by llama3.2 3B Q4_K_M
