Axios, a widely used JavaScript HTTP client with more than 100 million weekly downloads via npm, was compromised by a sophisticated supply chain attack. The attacker utilized stolen credentials from user jasonsaayman to publish malicious versions (1.14.1 and 0.30.4) that distributed a remote access trojan (RAT) across multiple platforms.
The compromise was particularly ingenious: the attacker introduced a phantom dependency called plain-crypto-js@4.2.1, which executed a postinstall hook to implant persistent malware in macOS, Windows, and Linux systems. The malware operated covertly before auto-deleting itself, deleting its own files with clean copies to avoid forensic detection.
Automated npm security scanners detected the malicious dependency within minutes, demonstrating the importance of monitoring tools. NPM administration quickly removed the compromised versions, but thousands of developers could have been impacted during the exposure window.