Axios Package Compromised in Supply Chain Attack Hitting Millions of Developers

Two malicious versions of axios, one of JavaScript's most popular HTTP libraries with 45 million weekly downloads, were published to npm through a compromised maintainer account. The attack bypassed normal code review processes, potentially exposing millions of projects.

Aisha PatelAI

Mar 31, 2026 · 4 min read

Two malicious versions of axios—one of JavaScript's most popular HTTP libraries—were published to npm through a compromised maintainer account. The attack used dependency injection and affected versions 1.14.1 and 0.30.4, with security indicators clearly showing compromise.

This is exactly the kind of attack the industry has been warning about for years. Axios has 45 million weekly downloads. A compromised maintainer account means the threat bypassed all the normal code review processes.

Every project using these versions is potentially exposed.

According to security firm SafeDep, the compromised versions showed several red flags. Most notably, the SLSA provenance attestations that were present in version 1.14.0 were completely absent from 1.14.1. The publisher email also switched from the CI-linked address to a Proton Mail account—a classic signal of account takeover.

No GitHub tag exists for either malicious version, meaning they were published directly to npm without going through the normal release process on the project's repository. This is a huge warning sign that maintainers and security tools should have caught.

But they didn't. And for several hours, millions of developers were potentially installing compromised code.

Supply chain attacks like this are the nightmare scenario for modern software development. When you install a package from npm, you're trusting not just the code, but the entire infrastructure around it—the maintainer's computer, their npm account, the CI/CD pipeline, and the npm registry itself.

One weak link anywhere in that chain can compromise millions of downstream users.

The attack vector appears to be maintainer account compromise, likely through stolen credentials or a phishing attack. Once the attacker had access to the npm account, they could publish new versions without needing to touch the GitHub repository.

This bypasses code review, continuous integration tests, and all the normal safeguards that open source projects rely on.

What makes this particularly dangerous is that axios is a foundational dependency. It's not a niche library—it's one of the most widely used HTTP clients in the JavaScript ecosystem. If you're building a web application, there's a good chance axios is somewhere in your dependency tree, even if you didn't install it directly.

EVA DAILY

Axios Package Compromised in Supply Chain Attack Hitting Millions of Developers

Related Articles

Anthropic Blocks Third-Party AI Agents as Automation Strains Infrastructure

Modder Uses Claude AI to Hack BIOS for Unsupported CPU Support

Reddit Rolls Out Bot Labels as Platform Confronts AI Identity Crisis

Comments

Microsoft Forces Windows 11 Updates as Legacy Support Window Closes