A supply chain attack compromised the popular Axios library via npm, installing malware on developers' devices. Learn about the impact and security recommendations.
© RusPhotoBank
A serious security incident has occurred in the JavaScript ecosystem: the popular Axios library was compromised through a supply chain attack. An attacker gained access to a key npm maintainer's account and published malicious versions of the package that silently installed malware on developers' devices. Given that Axios is downloaded tens of millions of times per week, the potential impact was extremely significant.
The malicious versions included a hidden dependency disguised as a legitimate cryptographic package. In practice, it ran a script upon installation that connected to a remote server and downloaded a remote access trojan for various operating systems. After execution, the malicious code erased traces of its presence by replacing files, making detection difficult even during subsequent system analysis.
The attack was carefully planned and unfolded in stages: first, the attacker published a "clean" version of the fake package, followed by a malicious one. Within a short timeframe, infected Axios versions were released for different branches, broadening the potential victim pool. Experts note that the infected builds were publicly available for only a few hours, but that was enough for the threat to spread.
Cybersecurity specialists warn that systems where these versions were installed should be considered fully compromised. They recommend immediately changing all credentials and conducting a deep infrastructure review. This incident highlights the vulnerability of modern software supply chains and the risks associated with trust in popular open-source packages.