NPM Supply Chain Attacks: What the Axios Compromise Teaches Us
Breaking news: Axios, one of the most popular HTTP clients in the JavaScript ecosystem, was recently compromised with a remote access trojan (RAT). The story hit Hacker News and racked up 506 upvotes in just 4 hours. Developers everywhere are asking the same question: "Could my project be infected right now?"
The answer might make you uncomfortable. If you haven't audited your dependency tree this week, there's a real chance you're running vulnerable code. This isn't a theoretical threat—it's happening now, to packages you use daily.
Let's break down what happened, why it matters, and most importantly, how to protect yourself.
The Incident: What Happened
In late March 2026, malicious versions of Axios were published to npm with a hidden remote access trojan. Here's the timeline:
- Initial compromise: Attackers gained access to the Axios maintainer account (exact method still under investigation)
- Malicious publish: Compromised versions were released with seemingly legitimate version numbers
-
Payload delivery: The trojan downloaded additional malware that targeted
.envfiles, SSH keys, and other sensitive credentials - Discovery: Security researchers at StepSecurity identified the malicious code and raised the alarm
The malicious code lived in a nested dependency called follows (a typosquat of the legitimate follow-redirects package). When Axios made HTTP requests, the trojan would:
- Scan for
.envfiles in the project directory - Exfiltrate AWS credentials, API keys, and database passwords
- Establish a persistent backdoor for future access
Why This Matters to Every Developer
Axios isn't some obscure package. It has millions of weekly downloads and is used by countless production applications. Here's why you should care:
The Dependency Tree Problem
Your App
└── axios (compromised)
└── follows (malicious)
└── steals your .env files
You might never have installed Axios directly. But it's a dependency of dependencies. A single compromised package anywhere in your tree can infect your entire application.
The Numbers Don't Lie
Supply chain attacks have increased 300% since 2024. According to security firms:
- 2024: ~150 reported npm supply chain incidents
- 2025: ~480 reported incidents
- 2026 (Q1 alone): ~200 incidents
We're not seeing more attacks because attackers got smarter. We're seeing more because the ecosystem is fragile, and maintainers are overworked.
How Supply Chain Attacks Work
Understanding the attack vectors helps you defend against them. Here are the most common methods:
1. Account Takeover
Attackers compromise a maintainer's npm account through:
- Phishing attacks
- Credential stuffing (reusing passwords from other breaches)
- Social engineering
Once they have publish access, they can release malicious versions of any package that maintainer controls.
2. Typosquatting
Malicious packages with names similar to popular ones:
-
axios→axi0s -
lodash→lodahs -
react→reacct
Developers make typos. Attackers count on it.
3. Malicious Pull Requests
Contributors submit seemingly helpful PRs that introduce backdoors. Once merged and published, the malicious code spreads to everyone who updates.
4. Compromised Build Pipelines
Even if the source code is clean, attackers can inject malware during the build or publish process by compromising CI/CD systems.
Red Flags to Watch For
Not every update is malicious, but these signs should trigger extra scrutiny:
- Sudden version bumps with minimal or vague changelog entries
- New maintainers added to established packages overnight
-
Unusual permission requests in
postinstallscripts - Dependencies fetching from unknown domains during installation
- Package size spikes (a 10kb package suddenly becomes 500kb)
- Obfuscated code in otherwise readable packages
Make these part of your code review checklist.
Protecting Your Projects: Actionable Steps
You can't eliminate all risk, but you can make yourself a harder target. Here's how:
1. Lock Your Dependencies
Never use caret (^) or tilde (~) ranges for production dependencies:
// package.json - BAD
{
"dependencies": {
"axios": "^1.6.0"
}
}
// package.json - GOOD
{
"dependencies": {
"axios": "1.6.0"
}
}
Always commit your package-lock.json or yarn.lock file. These lock files pin every transitive dependency to exact versions.
2. Use npm audit (and Actually Fix Findings)
# Check for known vulnerabilities
npm audit
# Auto-fix what's safe to fix
npm audit fix
# Force fix (review changes carefully!)
npm audit fix --force
Run this in CI on every pull request. Make it a gate: no high-severity vulnerabilities allowed in production.
3. Implement Dependency Verification
Use tools that go beyond npm's built-in audit:
# Check for outdated packages with security focus
npx npm-check-updates --security
# Deep security scanning with Snyk
snyk test
snyk monitor
Snyk maintains an expanded vulnerability database and catches issues npm audit misses.
4. Pin Provenance with Sigstore
npm now supports signed packages with provenance information:
# Only install packages with valid signatures
npm install --verify-signatures
# Check provenance for a specific package
npm view axios --json | jq '.provenance'
Sigstore provides cryptographic proof of where a package came from and who published it. It's not universal yet, but it's the future.
5. Monitor Your Supply Chain Continuously
Set up automated monitoring:
- Dependabot (GitHub): Auto-creates PRs for security updates
- Renovate: More configurable alternative to Dependabot
- Socket.dev: Real-time supply chain risk scoring
- StepSecurity: Hardens CI/CD and monitors dependencies
Subscribe to security advisories for your critical dependencies. If Axios publishes a security notice, you want to know within hours, not weeks.
Code Example: Automated Security Check in CI
Here's a GitHub Actions workflow that runs security checks on every push and PR:
# .github/workflows/security.yml
name: Dependency Security
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: npm audit --audit-level=high
- name: Run Snyk security scan
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload Snyk report
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: snyk.sarif
This workflow:
- Fails the build if high-severity vulnerabilities are found
- Runs Snyk for deeper analysis
- Uploads results to GitHub Security tab for tracking
Incident Response: What to Do If You're Affected
You just discovered a compromised dependency in your project. Here's your action plan:
1. Identify Affected Versions
# Check what version you're running
npm list axios
# Check the lockfile for exact versions
grep -A 5 '"axios"' package-lock.json
Cross-reference with security advisories to confirm if you're affected.
2. Downgrade Immediately
# Install last known-good version
npm install axios@1.5.9
# Or remove entirely if not critical
npm uninstall axios
Update your lockfile and redeploy.
3. Rotate Exposed Credentials
Assume anything in your .env files is compromised:
- AWS access keys
- Database passwords
- API tokens
- SSH keys
- OAuth secrets
Rotate all of them. Yes, all of them.
4. Audit Logs for Suspicious Activity
Check your application logs, cloud audit trails, and access logs for:
- Unusual API calls
- Data exfiltration patterns
- Access from unexpected IP addresses
- Failed authentication attempts
5. Report and Document
- Notify your security team
- Document the incident timeline
- File a report with npm (security@npmjs.com)
- Consider public disclosure if users are affected
The Bigger Picture
The Axios incident isn't an anomaly—it's a symptom of structural problems in open source:
Overworked Maintainers
Most popular npm packages are maintained by volunteers working nights and weekends. They're not security experts. They're developers who built something useful and now find themselves responsible for infrastructure that powers thousands of companies.
Underfunded Infrastructure
The entire npm ecosystem runs on shoestring budgets. Security tooling, audit systems, and abuse prevention cost money. npm is a business, but the economics don't fully support the security requirements of a global software supply chain.
The Path Forward
Promising developments:
- Sigstore: Free, open signing infrastructure for software supply chains
- npm provenance: Cryptographic proof of build origin
- Socket.dev: Community-driven package risk scoring
- OpenSSF Scorecard: Automated security health checks for repos
These tools help, but they're not silver bullets. Defense requires layers.
Conclusion
Supply chain attacks aren't going away. They're becoming more sophisticated, more frequent, and more damaging. The Axios compromise is a wake-up call: your dependencies are your attack surface.
Defense in depth is the only viable strategy:
- Lock your dependency versions
- Audit regularly and fix findings
- Monitor continuously with automated tools
- Verify package provenance when possible
- Rotate credentials at the first sign of trouble
Stay paranoid. Stay safe. And remember: the security of your application is only as strong as the weakest link in your dependency tree.
Your Turn
Run npm audit on your projects today. How many vulnerabilities did you find? What's your supply chain security strategy? Share your approach in the comments below—let's learn from each other.
Stay secure, friends. ✌️
Top comments (0)