Key moments
On March 31, 2026, the widely used Axios npm package was compromised in a significant supply chain attack, raising alarms across the software development community. The attack, which occurred between approximately 00:21 and 03:30 UTC, involved the publication of malicious versions of Axios, specifically [email protected] and [email protected], using a compromised maintainer account.
During the three hours that the malicious versions were live, they were downloaded by numerous users, with Axios averaging around 300 million weekly downloads. The malicious packages contained a hidden dependency on [email protected], which included a postinstall script that functioned as a Remote Access Trojan (RAT). This allowed attackers unauthorized remote access to affected systems, posing a significant threat to developers and organizations.
The attack’s impact was particularly pronounced on Continuous Integration and Continuous Deployment (CI/CD) pipelines and developer workstations that installed the compromised packages. With around 100 million weekly downloads of affected packages, the potential for widespread disruption was considerable.
This incident follows a growing trend of attackers targeting software supply chains through indirect dependency injection, a method that exploits the trust developers place in popular libraries and packages. Ilkka Turunen, a cybersecurity expert, commented on the situation, stating, “Attackers have figured out they don’t need to compromise the code people trust if they can compromise the trust around it.”
In response to the attack, npm removed the malicious versions of Axios shortly after their discovery. However, the incident has raised concerns about the overall security of software supply chains. Turunen further noted, “When a widely trusted package can be turned into a delivery path like this, the issue is bigger than package hygiene. It’s a trust problem in the software supply chain.”
As organizations assess the damage, details remain unconfirmed regarding the exact number of systems affected by the malicious packages and the full extent of the attack’s impact on downstream dependencies. Developers are advised to delay new package installations for at least 72 hours to mitigate potential risks.
The Axios incident highlights the vulnerabilities present in software ecosystems and underscores the need for enhanced security measures to protect against similar attacks in the future. As the software community continues to grapple with these challenges, the focus will likely shift towards improving trust and security protocols within the development process.
