On March 30, 2026, Axios, a globally acclaimed JavaScript HTTP client library, became the target of a significant supply chain attack. The assailant compromised the npm account of the core maintainer, 'jasonsaayman', and manually released two malevolently altered versions of the library: axios@1.14.1 and axios@0.30.4, circumventing the standard release procedures. These versions had been surreptitiously injected with a counterfeit dependency package, plain-crypto-js@4.2.1. Upon installation, the postinstall script of this package automatically executed, downloading and running a cross-platform Remote Access Trojan (RAT). This Trojan was adept at concealing itself on macOS, Windows, and Linux systems, connecting to remote servers, downloading malicious programs, and erasing its tracks post-execution, thereby rendering it exceedingly difficult for developers to detect.

The attack was detected a mere 7 minutes after the release of the malicious versions. However, this brief window was sufficient for thousands of automated build systems worldwide to be infiltrated. The Axios team reacted promptly, designating the malicious versions as deprecated and issuing a clean version, 1.14.3. Nevertheless, systems that had already installed the tainted versions might still be executing malicious code, posing a grave security risk.