On March 31, 2026, someone hijacked the npm account of axios's lead maintainer and published two malicious versions: axios@1.14.1 and axios@0.30.4. Both contained a hidden dependency called plain-crypto-js whose postinstall script dropped a cross-platform RAT on every developer machine that ran npm install.
The RAT harvested SSH keys, cloud tokens, AWS credentials, and anything else it could find. It was live on npm for over 12 hours before being pulled. Axios gets 40+ million weekly downloads.
Here's how the attack worked, what the industry got wrong, and what you can do about it.
The attack chain
Step 1: Account takeover. The attacker changed the email on the user's npm account to an attacker-controlled ProtonMail address. npm did not require re-authentication for this change.
Step 2: Pre-staging. 18 hours before the main attack, the attacker published plain-crypto-js@4.2.1 — a clean-looking package with no obvious malicious code. This gave it time to build a benign-looking publish history.
Step 3: Payload delivery. The attacker published axios@1.14.1 (latest tag) and axios@0.30.4 (legacy tag) within 39 minutes of each other. Both added plain-crypto-js as a dependency.
Step 4: Execution. When a developer ran npm install, npm resolved the new axios version, pulled in plain-crypto-js, and ran its postinstall script. That script:
- Detected the OS (macOS, Windows, or Linux)
- Downloaded a platform-specific RAT binary
- Established a C2 connection
- Began harvesting credentials
- Cleaned up after itself by rewriting its own package.json
The whole thing took less than 2 seconds.
Why existing tools missed it
npm audit only checks against known CVEs. A brand-new malicious package has no CVE yet. npm audit said nothing.
Dependabot is reactive — it alerts after the advisory is published, not before. The advisory came 12+ hours after the malicious version was live.
Snyk relies on its vulnerability database. Same problem — the database lags behind the attack.
Socket.dev was the fastest to detect it (behavioral analysis flagged the new dependency and install script), but even Socket took hours to publish an alert.
The gap between "malicious package published" and "advisory issued" was 12+ hours. That's 12 hours where every npm install of axios pulled down a RAT.
What actually protects you
The common advice is "pin your dependencies" and "use lockfiles." That helps with automated installs, but it doesn't help when:
- A developer manually runs
npm install axios@latest - An AI coding assistant runs
npm installon your behalf - You're starting a new project and installing fresh
What you actually need is a check that runs before install scripts execute. Something that looks at the package and says "this is suspicious" before it's too late.
What we built
After seeing the axios warning on r/ClaudeAI, we built Ward — an open-source tool that hooks into your package manager and checks every package before install scripts run.
$ npm install axios@1.14.1
✗ ward: BLOCKED
This version steals SSH keys and cloud credentials
Safe version: 1.14.0
It checks four things locally in under 200ms:
1. Known threat database. Ward ships with 42 verified real-world attacks (axios, event-stream, ua-parser-js, colors/faker, the Solana web3.js compromise, the Shai-Hulud worm, and more). The database syncs daily from GitHub Advisories and community submissions.
2. Typosquat detection. If you try to install axxios instead of axios, Ward warns you. It uses Levenshtein distance against the top 500 npm packages.
3. Install script analysis. Ward flags packages with unknown preinstall/postinstall scripts. Known-safe patterns like node-gyp rebuild are allowed through.
4. Version anomaly detection. Unexpected major version jumps (1.x to 4.x) and non-existent versions get flagged.
Setup takes 30 seconds
npm install -g wardshield
ward init
That's it. Ward hooks into npm (and bun and yarn) transparently. You don't change your workflow — you just have protection.
If you use AI coding assistants
Ward was built specifically for the AI-assisted development workflow. When Claude Code, Cursor, or Copilot runs npm install on your behalf, Ward screens it. There's a Claude Code hook that intercepts every install command before it executes.
This matters because AI tools install packages without you reviewing every one. The attack surface is larger when an agent is making decisions about your dependencies.
The threat feed
We maintain a public threat feed at wardshield.com with every verified supply chain attack we track. There's also a JSON API at api.wardshield.com/threats if you want to build on top of it.
It's free and open source
Ward is MIT licensed. The full local engine is free, unlimited, forever. No account needed, no cloud required. The source is at github.com/Vanguard-Defense-Solutions/ward.
Built by Vanguard Defense Solutions.
The axios attack was not sophisticated. It was an account takeover followed by a dependency injection. The same attack pattern has been used successfully against event-stream (2018), ua-parser-js (2021), colors/faker (2022), @solana/web3.js (2024), and dozens more.
Top comments (0)