Axios Compromised: How a Backdoored npm Package Dropped a RAT on 100M+ Downloads
The JavaScript ecosystem just suffered one of its most significant supply chain attacks in recent memory. Axios, the ubiquitous HTTP client library downloaded over 100 million times per week, was compromised when attackers gained access to a maintainer's npm account and pushed malicious versions containing a Remote Access Trojan (RAT).
This is not just another security headline. If you use Node.js in any capacity—whether for backend APIs, frontend builds, or DevOps scripts—this incident affects you directly.
Índice
- What Happened
- How the Attack Worked
- The Timeline of Events
- Which Versions Were Affected
- How to Check if You Were Affected
- What Attackers Could Do With the RAT
- The npm Ecosystem Problem
- How to Protect Yourself
- Lessons Learned
- Conclusion
What Happened
On March 30, 2026, security researchers at StepSecurity discovered that the popular axios npm package—used by millions of developers for making HTTP requests in JavaScript and TypeScript applications—had been backdoored.
Attackers compromised an existing maintainer's account and published malicious versions (axios@1.14.1 and axios@0.30.4) that included a Remote Access Trojan. The trojan was disguised within the package's build process, making it difficult to detect through standard auditing methods.
The attack was sophisticated: it didn't modify the source code directly but injected malicious code during the post-install script execution, allowing attackers to:
- Execute arbitrary code on developer machines
- Steal environment variables (including API keys and credentials)
- Establish persistent remote access
- Spread laterally within CI/CD environments
How the Attack Worked
The attackers leveraged a technique that security teams call "dependency confusion" combined with "typosquatting" elements. However, in this case, they went straight for the maintainer account—indicating either a phishing compromise or credential stuffing attack.
The Infection Vector
// Malicious code was injected into postinstall scripts
// disguised as part of the normal build process
// The RAT connected to an external server and awaited commands
const net = require('net')
const { exec } = require('child_process')
// This code ran silently during npm install
// Exfiltrating environment variables and system info
Why This Was Effective
- Trusted package: Axios is used by major frameworks and companies
- Silent execution: The malicious code ran in postinstall scripts
- Wide reach: 100M+ weekly downloads meant massive impact potential
- Persistence: The RAT could survive reinstallation attempts
The Timeline of Events
| Date | Event |
|---|---|
| March 28, 2026 | Attackers compromise maintainer account |
| March 29, 2026 | Malicious versions published to npm |
| March 30, 2026 | StepSecurity researchers discover the breach |
| March 30, 2026 | npm removes malicious versions, notifies users |
| March 31, 2026 | Full disclosure and technical analysis published |
The attack went undetected for approximately 48 hours before being discovered and remediated.
Which Versions Were Affected
According to the official axios security advisory, the following versions were compromised:
How to Check if You Were Affected
Run these commands in your project directory:
# Check your axios version
npm list axios
# View detailed dependency tree
npm ls axios
# Check for postinstall scripts
grep -r "postinstall" node_modules/axios/package.json
For Package.json Inspection
// Check your package.json for affected versions
{
"dependencies": {
"axios": "1.14.1" // VULNERABLE
}
}
GitHub's Advantage
If you use Dependabot or GitHub Actions, check your security advisories tab. GitHub automatically flagged projects using vulnerable versions.
What Attackers Could Do With the RAT
Once installed on a developer's machine, the Remote Access Trojan had broad capabilities:
Data Exfiltration
// The RAT could steal:
// - AWS/GCP/Azure credentials from environment
// - npm tokens and registry authentication
// - SSH keys
// - Database connection strings
// - API keys for third-party services
process.env.API_KEYS // All environment variables
process.env.AWS_ACCESS_KEY
process.env.NPM_TOKEN
Lateral Movement
The RAT wasn't limited to the developer's machine. In CI/CD environments, it could:
- Access production credentials stored in secrets managers
- Modify build artifacts to inject backdoors into released software
- Pivot to internal corporate networks
- Establish command-and-control channels for future attacks
Real-World Impact Scenarios
- Developer machine compromised → SSH keys stolen → Production servers accessed
- CI/CD pipeline compromised → Malicious code injected into app → Users download backdoored software
- npm token stolen → More packages compromised → Supply chain escalates
The npm Ecosystem Problem
This incident highlights a systemic vulnerability in the JavaScript package ecosystem. With over 2 million packages and billions of daily downloads, npm has become an attractive target for attackers.
The Numbers
- 2.1M+ packages in the npm registry
- 100B+ weekly downloads
- 17M developers using npm
- 1 compromise can affect millions of projects
Why Traditional Security Fails
| Security Measure | Effectiveness Against This Attack |
|---|---|
| Code review | ❌ Malicious code injected at build time |
| npm audit | ❌ RAT was obfuscated |
| Lockfiles | ❌ Lockfile guarantees the malicious version |
| Type checking | ❌ Runtime malicious code not caught |
The Maintainer Account Problem
The root cause is simple: account security. npm's model relies on maintainers securing their accounts, but:
- No mandatory 2FA enforcement (until recently)
- Password reuse across breaches
- Lack of behavioral monitoring
- No hardware security key requirement
How to Protect Yourself
Immediate Actions
- Update axios immediately
npm install axios@1.14.0
# or
yarn add axios@1.14.0
-
Rotate all credentials that were present during the affected period:
- npm tokens
- Cloud provider keys
- API keys
- SSH keys
Audit your environment variables for suspicious access
Long-Term Security Practices
Use npm audit and socket.dev
# Install socket.dev for enhanced package analysis
npm install -g @socket.dev/npm
socket npm audit
Implement Lockfiles Strictly
# Ensure your CI/CD uses --frozen-lockfile
npm ci --frozen-lockfile
Enable npm's Enhanced Security Features
# Enable 2FA with security keys
npm profile enable-2fa --security-key
# Use token-based authentication
npm token create --readonly
Monitor Your Dependency Tree
# Use tools like Socket, Snyk, or GuardDog
npx @socket.dev/npm audit --package axios@>=0.21.0
Lessons Learned
For Developers
-
Lock your dependencies: Use
package-lock.jsonandnpm ciin CI/CD -
Verify package integrity: Use
npm auditand third-party tools - Principle of least privilege: Don't give packages more permissions than needed
- Monitor your environment: Use secret scanning tools like GitHub's secret scanning
For Organizations
- Supply chain security is critical: Treat dependencies as first-class security concerns
- Implement runtime protection: Use tools like Sysdig, Falco, or similar
- Network segmentation: Isolate CI/CD environments from production
- Incident response plans: Have a playbook for supply chain attacks
For the Ecosystem
- Mandatory 2FA: npm should enforce hardware security keys for popular packages
- Code signing: Implement provenance attestation for packages
- Automated threat detection: AI/ML-based anomaly detection for package behavior
- Maintainer security training: Education on phishing and credential security
Conclusion
The Axios supply chain attack is a stark reminder that open-source security is everyone's responsibility. While the JavaScript ecosystem's scale and convenience are remarkable, that same scale makes it an attractive target for malicious actors.
The good news: this attack was discovered and remediated relatively quickly. The malicious versions were available for only 48 hours before npm removed them. However, in that window, thousands of projects may have been compromised.
Immediate action items:
- Update axios to version >= 1.14.0
- Rotate any credentials that were exposed
- Implement the security practices outlined above
- Share this information with your team
The security of your applications depends not just on your code, but on the code you trust. Stay vigilant, audit your dependencies, and never assume that popular packages are automatically safe.
If you found this article helpful, share it with your fellow developers. See you in the next post!
Top comments (0)