## Axios npm Package Compromised: Malicious Versions 1.14.1 & 0.30.4 Deploy Cross-Platform RAT
A critical supply chain attack has compromised the widely-used `axios` HTTP client library. On March 31, 2026, the npm accounts of the axios lead maintainer were hijacked, leading to the publication of two malicious package versions: `axios@1.14.1` and `axios@0.30.4`. These tainted releases contained a hidden dependency, `plain-crypto-js@4.2.1`, engineered to deploy a cross-platform Remote Access Trojan (RAT) capable of infecting macOS, Windows, and Linux systems. The malware is designed to harvest sensitive developer credentials, SSH keys, cloud access tokens, and other secrets directly from compromised machines.

The npm registry has since removed the malicious packages, and the last known safe version is `axios@1.14.0`. The attack vector represents a sophisticated software supply chain compromise, directly targeting the developer ecosystem through a trusted dependency. Security firm StepSecurity has published a detailed report on the incident, which is being actively discussed in internal developer channels and on the axios GitHub repository.

This incident forces immediate action for any project using axios. Developers and organizations must manually pin their dependency to `axios@1.14.0` and implement overrides in their `package.json` files to prevent automatic or accidental upgrades to the compromised versions. The breach underscores the persistent vulnerability of open-source maintainer accounts and the cascading risk such compromises pose to downstream applications and infrastructure globally. All teams are urged to audit their dependencies and lockfiles immediately.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain-attack, npm, malware, RAT, open-source-security
- **Credibility**: unverified
- **Published**: 2026-03-31 13:27:21
- **ID**: 43347
- **URL**: https://whisperx.ai/en/intel/43347