Security Breach in Axios: Malicious Versions Published

On March 31, 2026, my npm account was compromised, leading to the publication of two malicious Axios versions, 1.14.1 and 0.30.4. These versions included a dependency, plain-crypto-js@4.2.1, which installed a remote access trojan on various operating systems. The malicious versions were quickly removed after being live for about three hours. If you suspect your system is affected, check your lockfile for these versions and take immediate action by downgrading Axios, deleting the malicious dependency, and rotating all credentials.

The breach occurred due to a social engineering attack that gave the attacker access to my npm credentials. In response, we are implementing several security measures, including resetting all devices and credentials, adopting an immutable release setup, and improving our overall security posture. We are also updating our GitHub actions to follow best practices.

The attack timeline reveals that the social engineering campaign began two weeks before the breach, with the malicious versions being published and detected on March 31. Community members quickly reported the compromise, and actions were taken to deprecate the affected versions and remove them from npm.

This incident highlights the need for continuous monitoring and strong security measures, especially for open-source maintainers who are prime targets for sophisticated attacks. We are collaborating with security experts and organizations to investigate and prevent future incidents. Our gratitude goes to @DigitalBrainJS and the npm security team for their swift response.

The immediate threat has been neutralized, and we are committed to enhancing our security practices in collaboration with industry groups. We will continue to update the community as the investigation progresses.