axios
Axios npm Account Takeover and RAT
A direct npm account takeover of the lead maintainer bypassed OIDC trusted publishing and turned a routine axios release into an installation-time trap. Version 1.14.1 carried a malicious postinstall hook that pulled a multi-platform RAT through node_modules/plain-crypto-js, letting dependency resolution become the quiet delivery rail for remote access.
- Date
- 2026-03-31
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Remote access
- Cause
- Compromised Account/Credentials
What Was Affected
Package
axios
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/axios/axios
Compromised Versions
Incident Context
- Motive
- Backdoor/Remote Code Execution
- Attribution
- Third Party
- Transitive
- No
- User Impact
- 0
- Observed Duration
- 0 days
Indicators and Changes
Hashes
sha256:e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
External References
Source Data
Source record: oss/axios/meta.yaml