Supply Chain Attack on Axios

[altayevrim]

If you ran npm install or npm update on any project between 2026-03-31 00:21 and 2026-03-31 03:15 (UTC), audit it immediately.

Axios was briefly compromised on npm after attackers gained access to the maintainer account and published malicious versions containing a dependency with a postinstall script that drops a RAT on macOS, Linux, and Windows. This means the target was not only servers, but also developer machines.

Affected scope:
- Any project that directly uses axios
- Any project that may include axios transitively through another dependency

What you should do now:
- Check whether any install or update happened during that timeframe
- Review package-lock.json, npm-shrinkwrap.json, lockfiles, CI logs, and local shell history
- Identify whether a malicious axios version was resolved or installed
- Assume developer endpoints may be affected, not just deployed environments
- Rotate credentials available on the machine if exposure is suspected
- Rebuild from a known-clean state if compromise is confirmed
- Inspect npm lifecycle scripts and unexpected outbound connections around install time

More Info:
- https://www.stepsecurity.io/blog/ax...-malicious-versions-drop-remote-access-trojan
- https://socket.dev/blog/axios-npm-package-compromised
- https://www.ox.security/blog/axios-compromised-with-a-malicious-dependency/