Axios Compromised: The 2-Hour Window Between Detection and Damage

A recent supply chain attack on March 30, 2026, involved the compromise of an npm maintainer account, leading to the publication of two malicious versions of the popular axios package. The attack, which unfolded over a short time span, involved the insertion of a malicious post-install hook into the npm package plain-crypto-js, which was then used as a dependency in the compromised axios versions. Although the attack was detected swiftly by CI/CD scanners and the malicious packages were removed within hours, the incident highlights the critical vulnerability window during which any npm install executed the malicious payload. This attack underscores the limitations of relying solely on Indicators of Compromise (IOCs) for detection, as attackers continue to evolve tactics, such as obfuscation and self-cleaning mechanisms, to evade detection. It emphasizes the need for behavioral detection methods that can identify deviations from normal application processes and unexpected network connections in real-time, as supply chain attacks targeting high-download packages are becoming increasingly frequent and sophisticated.