The Axios JavaScript HTTP client, used in nearly 300 million weekly downloads, was compromised in a precision supply chain attack targeting its npm maintainer account.
Attackers hijacked the primary maintainer’s credentials, swapped the project’s email to a Proton Mail address, and released malicious versions 1.14.1 and 0.30.4. No malicious code resides in Axios itself - instead, it acts as a self-deleting installer that deploys OS-specific remote access trojans.
On macOS, it camouflages as a system daemon; on Windows, it embeds in PowerShell; on Linux, it deploys a Python backdoor. Security researchers at Step Security Inc. confirmed the attack was meticulously staged - three payloads pre-built, release branches poisoned within 39 minutes, all artifacts designed to self-destruct.
Huntress Labs reports active exploitation. Any environment using axios@1.14.1 or axios@0.30.4 must be treated as compromised. Immediate action is required: audit dependencies, downgrade to verified versions, rotate credentials, and scan for OS-specific malware artifacts.
This incident underscores the growing threat of supply chain attacks - where adversaries compromise trusted software to infiltrate high-value targets. Cybersecurity Ventures projects such attacks will cost businesses $138 billion annually by 2031.