Originally reported by Sam Bent
TL;DR
The axios NPM package, downloaded 100 million times weekly, was compromised through a stolen authentication token. Malicious versions deployed a cross-platform remote access trojan to developer machines during routine npm install operations.
Supply chain compromise of axios, one of the most widely used NPM packages with 100 million weekly downloads, delivering RAT malware to potentially millions of developer machines.
The axios HTTP client library, one of JavaScript's most popular packages with over 100 million weekly downloads, was compromised through a stolen NPM authentication token according to security researcher Sam Bent. The attack deployed a cross-platform remote access trojan (RAT) to developer machines running routine npm install operations.
Bent's analysis reveals the attackers gained control of the axios package through credential compromise rather than exploiting NPM infrastructure directly. Once authenticated, the threat actors published malicious versions of the package containing embedded RAT functionality.
The timing and scale of the compromise maximized impact. Developers performing morning dependency updates or fresh project installations received the weaponized package automatically. Given axios's ubiquity in the JavaScript ecosystem, the potential victim count extends to millions of developer workstations globally.
The malicious payload appears designed for cross-platform deployment, targeting the diverse development environments typical of modern JavaScript projects. The RAT's capabilities and command-and-control infrastructure remain under analysis, but the supply chain vector provides attackers with extensive access to developer machines and potentially downstream production systems.
Package maintainers have not yet issued official statements regarding the compromise timeline or affected version ranges. NPM's response and remediation efforts are ongoing.
This incident underscores the fragility of modern software supply chains, where a single compromised credential can weaponize packages trusted by millions of developers. The axios compromise joins a growing list of NPM supply chain attacks targeting high-value packages with extensive dependency trees.
Developers should immediately audit recent axios installations and check for unexpected network activity or system behavior. Organizations should review their dependency management policies and consider implementing additional verification steps for critical packages.
Originally reported by Sam Bent
