axios Supply Chain Compromise Exposes Vulnerabilities in Open Source Ecosystem

The widely-used HTTP client library axios fell victim to a supply chain attack on March 31, 2026, when two malicious versions (1.14.1 and 0.30.4) were published to npm through a compromised maintainer account. The incident, which lasted approximately three hours before being detected and removed, injected a remote access trojan (RAT) onto systems across macOS, Windows, and Linux platforms.

The Attack Vector: A Masterclass in Social Engineering

The compromise wasn't a technical vulnerability in axios itself, but rather a sophisticated social engineering campaign against lead maintainer Jason Saayman. The attack followed patterns documented by Google in their research on UNC1069, which targets cryptocurrency and AI professionals through carefully crafted deception.

"They reached out masquerading as the founder of a company they had cloned," Saayman explained in the GitHub issue. "They had cloned the company's founder's likeness as well as the company itself. They then invited me to a real slack workspace. This workspace was branded to the companies ci and named in a plausible manner."

The attackers demonstrated remarkable attention to detail, creating a convincing Slack workspace with channels sharing LinkedIn posts (presumably linking to the real company's account), fake team profiles, and even other open source maintainers to lend credibility to their operation.

The final step involved a Microsoft Teams meeting where participants received a notification about an "out-of-date" system component. When Saayman installed what he believed was a Teams update, he actually installed the RAT that gave the attackers full control of his machine.

"Everything was extremely well co-ordinated, looked legit and was done in a professional manner," Saayman noted, highlighting the sophistication of the attack.

Malicious Payload and Distribution

Once the attackers gained access to Saayman's machine, they obtained npm credentials and published two malicious versions of axios: 1.14.1 and 0.30.4. Both versions contained a dependency on [email protected], which installed the RAT malware.

The malicious code established connections to sfrclak[.]com and 142.11.206.73 on port 8000, potentially giving attackers remote access to affected systems. The attack timeline shows [email protected] was published on March 30, followed by the compromised axios versions early on March 31.

Community Detection and Response

The incident underscores the critical role of community vigilance in open source security. Within about an hour of publication, community members began reporting suspicious activity, though the attackers quickly deleted these issues using the compromised account.

The turning point came when axios collaborator DigitalBrainJS opened a pull request to deprecate the compromised versions, flagging the deleted issues to the community and contacting npm directly. This decisive action led to the removal of the malicious packages at 03:15 UTC, with plain-crypto-js following at 03:29 UTC.

"The response was fast. ~3 hours from publish to removal is a good outcome given the constraints," noted Feross Aboukhadijeh, a prominent Node.js developer. "@DigitalBrainJS in particular deserves recognition for acting decisively."

Impact and Scope

While the attack was relatively brief in duration, its potential impact was significant. Axios is one of the most widely-used HTTP clients in the JavaScript ecosystem, with over 87 million weekly downloads according to npm. The malicious versions could have affected thousands of projects and systems.

"For maintainers of high-download packages, this incident reinforces a few things," Feross added. "OIDC-based publishing (provenance attestation) is the single highest-leverage change you can make. It removes long-lived credentials from the equation entirely."

Users were advised to check their lockfiles for the compromised versions or the plain-crypto-js dependency. Those affected needed to downgrade to [email protected] (or 0.30.3 for 0.x users), delete the malicious dependency, rotate all secrets and credentials, and check network logs for suspicious connections.

Broader Implications for the npm Ecosystem

The axios compromise highlights several systemic vulnerabilities in the current open source distribution model:

1. Dependency on Individual Maintainers: High-value packages rely on individual accounts, creating single points of failure
2. Limitations of 2FA: While the maintainer had 2FA enabled, the RAT malware provided attackers with full system access, bypassing these protections
3. Lack of Automated Detection: The incident was detected only through community vigilance, not automated security measures
4. npx Vulnerability: As Ahmad Nassri pointed out, npx invocations produce non-deterministic dependency resolution, potentially exposing systems even if they weren't directly using the compromised packages

"This kind of targeted social engineering against individual maintainers is the new normal," Feross stated. "It's not a reflection on Jason or the axios team -- these campaigns are sophisticated and persistent. We're seeing them across the ecosystem and they're only accelerating."

Preventive Measures and Future Improvements

In response to the incident, the axios team outlined several security improvements:

• Immutable release setup: Moving to a CI-based publishing workflow
• OIDC adoption: Implementing OpenID Connect for publishing to eliminate long-lived credentials
• Device and credential reset: Complete wipe of all lead maintainer devices and resetting of all credentials
• GitHub Actions hardening: Updating all GitHub actions to adopt security best practices

"Publishing directly from a personal account was a risk that could have been avoided," Saayman acknowledged. "The OIDC flow and immutable release setup we are now adopting should have been in place before this happened."

The incident also revealed a separate documentation security issue (#10614) related to credential re-injection in the README's beforeRedirect example, demonstrating that security vulnerabilities can exist in multiple layers of a project.

{{IMAGE:3}}

Lessons for the Open Source Community

The axios compromise offers several critical lessons for maintainers and organizations:

1. Adopt OIDC-based publishing: This removes the need for long-lived credentials
2. Publish from CI, not local machines: Compromised laptops shouldn't have the ability to push releases
3. Use hardware keys for 2FA: Time-based one-time passwords (TOTP) on compromised machines aren't effective
4. Implement automated security monitoring: Reduce reliance on community detection alone
5. Be vigilant against sophisticated social engineering: These attacks are increasingly realistic and targeted

"Open source maintainers with high-impact packages are active targets for sophisticated social engineering," Saayman warned. "Hyper vigilance is needed both on the registry and in a personal capacity."

The Road Ahead

While the immediate incident has been resolved, the axios team continues working on security improvements. The compromise has also sparked broader discussions within the OpenJS Security Working Group and the npm ecosystem about better protecting critical infrastructure.

"Security posture should be continuously monitored and improved," Saayman emphasized. "We will continue to strengthen our practices in alignment with industry best practices and in collaboration with groups such as the OpenJS Security Working Group."

As the open source ecosystem continues to grow in importance and ubiquity, incidents like the axios compromise serve as critical reminders that security must be a continuous, multi-layered effort involving maintainers, platforms, and end users. The response to this attack demonstrates both the vulnerabilities that exist and the resilience of the community when security issues are addressed transparently and collaboratively.

For organizations using npm, the incident reinforces the need for robust supply chain security practices, including regular dependency scanning, immediate patching when vulnerabilities are discovered, and careful monitoring of build and deployment processes.

{{IMAGE:4}}