A sophisticated supply chain attack has compromised Axios, one of the most widely used HTTP clients in the JavaScript ecosystem, by introducing a malicious transitive dependency into the official npm registry. The incident poses a significant threat to modern web applications, as Axios is deeply embedded across frontend frameworks, backend services, and enterprise systems, with approximately 83 million weekly downloads.
The attack involves the unauthorized publication of new Axios versions that automatically include a malicious package, plain-crypto-js@4.2.1, which has been flagged by automated malware detection systems. Given Axios’s extensive adoption, the potential impact of this compromise is substantial, prompting urgent response measures from developers and security teams worldwide.
According to security researchers, the attackers deviated from Axios’s standard release practices to execute the breach. Typically, official releases are tagged on GitHub alongside npm publications. However, the compromised versions were pushed directly to the npm registry without corresponding GitHub tags, indicating a deliberate bypass of established release workflows.
At the time of the incident, version 1.14.0 remained the latest legitimate release visible on GitHub. The malicious versions appeared shortly after the publication of the rogue dependency, suggesting a coordinated effort to inject harmful code into the supply chain with minimal visibility.
The malicious package, plain-crypto-js@4.2.1, was published on March 30, 2026, just minutes before the compromised Axios versions were released. Automated detection systems identified the anomaly within minutes, highlighting the rapid execution strategy designed to maximize exposure before mitigation efforts could begin.
To avoid raising immediate suspicion, the attackers made minimal changes to the Axios codebase. Instead of altering core functionality, they simply added the malicious dependency to the package tree. This subtle approach is a common tactic in supply chain attacks, enabling threat actors to execute arbitrary code indirectly while evading traditional code review processes.
Further investigation into npm registry logs has linked the malicious package to a publisher account identified as “jasonsaayman.” This raises concerns about a potential account compromise, such as stolen credentials or a hijacked session, allowing unauthorized access to publish malicious artifacts.
Security experts are urging organizations to take immediate action by auditing their software supply chains. Developers and DevOps teams should review dependency trees, lockfiles, feature branches, and active pull requests to identify any exposure to the affected versions.
The compromised components identified in the attack include Axios versions 1.14.1 and 0.30.4, both of which include the malicious dependency, as well as the plain-crypto-js package itself. Any instances of these versions should be removed immediately or rolled back to a verified safe release, such as Axios 1.14.0.
As the situation continues to evolve, organizations are advised to implement continuous monitoring and threat hunting practices to detect any signs of exploitation. The incident underscores the growing risks associated with open-source supply chains and the need for stronger security controls, including dependency verification, access management, and real-time threat detection.
This attack serves as a stark reminder that even widely trusted and heavily used libraries can become vectors for large-scale compromise, reinforcing the importance of proactive security measures across the software development lifecycle.
Recommended Cyber Technology News :
- Point Wild Launches LiteLLM Scanner After Supply Chain Attack
- New AI-Driven Malware Campaign Uses ClickFix Tactic
- Cisco Firewall 0-Day Exploited to Deploy Ransomware
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
