Axios, a widely used JavaScript HTTP client, was briefly distributed through npm in two malicious versions after a maintainer account was taken over. Security researchers said the poisoned releases were axios@1.14.1 and axios@0.30.4, and both pulled in a rogue dependency named plain-crypto-js@4.2.1.
The affected releases were removed within hours, but the short exposure window still raised concern for teams that rely on automatic dependency updates.
Researchers at StepSecurity, Socket, and Wiz said the two Axios versions were published through a “compromised” maintainer account rather than the project’s normal release flow. Socket said the releases did not appear in Axios’ official GitHub tags, while Wiz said the packages were pushed through a taken-over npm account and later removed after disclosure.
The malicious releases added plain-crypto-js@4.2.1 as a dependency. Researchers said that package was not part of the regular Axios source code.
Socket said an earlier clean version, plain-crypto-js@4.2.0, had been uploaded before the attack, then a malicious 4.2.1 version followed shortly before the Axios releases. That sequence suggested planning before the poisoned packages were published.
Security researchers said the malicious dependency ran a postinstall script during package installation. Wiz said the script downloaded platform-specific second-stage payloads from an external server and then removed traces of itself. Socket also said the code renamed files after execution to reduce visible signs inside node_modules.
The malware targeted Windows, macOS, and Linux. Wiz said the payloads acted as remote access trojans that could execute commands, gather system details, and wait for instructions from a command-and-control server.
StepSecurity described the incident as one of the more advanced attacks seen against a highly used npm package, while researchers warned that any environment installing the bad versions should be treated as “compromised” until checked.
Also Read: Crypto Hacks Surge 15% in August, $91M Bitcoin Theft Leads Attacks
The Axios incident drew attention in crypto circles because many wallets, exchanges, bots, and decentralized apps use JavaScript packages across build systems and developer machines. Wiz said Axios is present in a large share of cloud and code environments, while Socket placed its npm usage at about 100 million weekly downloads. That reach means even a brief attack window can expose many projects.
Researchers said there was no confirmed public record of stolen crypto tied to this Axios case at the time of publication. Still, security firms advised developers to check lockfiles for axios@1.14.1, axios@0.30.4, and plain-crypto-js@4.2.1, remove them, and move to axios@1.14.0 or 0.30.3. Wiz also said teams should rotate tokens, API keys, and other secrets if the malicious packages were executed, and review systems for outbound connections linked to the attack.