3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Axios, with 80M+ weekly downloads, was targeted in an attack that makes installed versions contact a C2 server for payloads.
If you are a JavaScript developer, you’re likely familiar with Axios, the popular library with over 80 million weekly downloads. Developers use Axios to make network requests, handle form submissions, perform CRUD operations, and manage file uploads in both browser and Node.js environments.
Now, researchers at StepSecurity have notified the public that two specific versions, [email protected] and [email protected], have been pwned by hackers. This was likely achieved through stolen npm credentials belonging to a lead maintainer, and the attackers even managed to change the account email address to [email protected]. They then manually published these poisoned versions, completely bypassing the project's standard GitHub Actions and cryptographic signing processes.
According to StepSecurity, the affected versions did not alter the core Axios code but instead injected a hidden, fake dependency named [email protected]. This fake package, which Axios never actually uses in its source, runs a postinstall script right when you install it.
That script acts as a cross-platform remote access trojan (RAT) dropper, hitting machines running Window, macOS, and Linux, and then contacts a command and control (C2) server. After it installs the malware, the dropper attempts to self destruct, replacing its own package.json with a clean version to evade detection.
The hackers used some pretty clever obfuscation techniques to hide what the malware was actually doing on your machine. They encoded sensitive strings like shell commands and file paths into a complex array that gets decoded at runtime using a specific XOR cipher key.
To check if your computer has been compromised, try the following commands:
# Check for the malicious axios versions in your project
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
# Look for the hidden dependency directory
ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"
# Check for RAT artifacts on Linux
ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED"
If you think you might be infected (remember the affected versions are [email protected] and [email protected]), downgrade Axios to the last known safe version. Use [email protected] for 1.x users and [email protected] for 0.x users, but make sure to add an overrides block in your package.json to prevent transitive dependencies from pulling in the bad versions:
"overrides": {
"axios": "1.14.0"
}
You also need to remove plain-crypto-js from node_modules and then run npm install --ignore-scripts to prevent any other postinstall hooks from running.
Another very important thing you should do is rotate all your credentials, like NPM tokens, AWS access keys, SSH private keys, cloud credentials, and any values found in .env files accessible during install.
For CI/CD pipelines, always run npm ci --ignore-scripts to stop postinstall hooks from running automatically.
Hope you enjoyed this news post. Feedback welcome.
Posted Tuesday 31 March 2026 at 6:13 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of February) 854
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.