How to Check for Impacted axios Packages in Your SBOM

In March 2026, a security breach occurred when a threat actor compromised the npm account of the axios library maintainer, leading to the release of two malicious versions of axios, a widely used JavaScript HTTP client. The attacker used hijacked credentials to publish [email protected] and [email protected] on the npm registry, introducing a hidden dependency on [email protected], which deployed a cross-platform remote access trojan (RAT) targeting various operating systems. The malicious package was pre-staged and disguised to evade detection, with the RAT contacting a command-and-control server and delivering payloads specific to macOS, Windows, and Linux. The attack also impacted additional npm packages and could automatically affect projects using certain version ranges. Both malicious axios versions have been removed from npm, and users are advised to downgrade to safe versions and check their systems for indicators of compromise. The article recommends steps such as auditing CI/CD pipelines, blocking egress to the attacker's server, and implementing stricter package management practices to prevent future incidents.