Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT

On March 31, 2026, two compromised versions of the popular JavaScript HTTP client library axios were briefly published on npm, exposing users to a severe security risk. These versions (1.14.1 and 0.30.4) included a hidden dependency that installed a cross-platform remote access trojan (RAT) on machines that used npm install during a specific two-hour window, potentially compromising CI/CD pipelines, developer environments, or build systems without any direct interaction with the Axios code itself. The attack originated from a hijacked npm maintainer account, which allowed the attacker to publish the malicious versions directly, bypassing typical safeguards against rogue packages. The RAT was designed to operate on macOS, Windows, and Linux platforms, executing commands and accessing system data. The malicious versions were swiftly removed from npm, but the incident highlights critical vulnerabilities in supply chain security, emphasizing the need for robust dependency management practices like lockfile enforcement and postinstall script auditing. The attack underscores the broader risks associated with maintainer account security and the implicit trust placed in widely used open-source packages.