Cisco Talos is investigating a supply chain incident that occurred on March 31, 2026. Two malicious versions of the widely used Axios npm package (v1.14.1 and v0.30.4) were deployed for approximately three hours. These versions introduced a false runtime dependency that executed automatically during installation, sending system information to actor-controlled infrastructure to download a specific loader based on the operating system.
On MacOS systems, an executable binary was downloaded and executed. On Windows systems, a legitimate executable was copied and a hidden-privilege PowerShell script was run. In Linux environments, a Python backdoor was downloaded. It is recommended to deploy known previous versions as safe (v1.14.0 or v0.30.3) and investigate any system that has downloaded the malicious version.
The consequences can be severe, as actors exfiltrated credentials and remote management capabilities. This requires credential rotation and preventing additional access.