A recent npm supply chain compromise tied to axios has turned a routine dependency update into a vulnerability.
On March 31, 2026, attackers used a compromised maintainer account to publish two malicious axios versions, 1.14.1 and 0.30.4. Those releases pulled in a hidden dependency called plain-crypto-js, which dropped a remote access trojan during installation on macOS, Windows, and Linux. In Huntress’s early response, the company reported at least 135 endpoints in its partner base contacting the attacker’s infrastructure during the exposure window.
What happened in the axios incident
Attackers appear to have hijacked a maintainer account and bypassed the project’s usual GitHub Actions publishing flow by publishing directly through the npm CLI. The poisoned releases were live for roughly three hours before removal. The malicious dependency used a postinstall script, so the malware could run automatically during installation. Because the compromised versions were tagged as latest and legacy, a routine npm install axios could resolve to a poisoned package by default.
Who was most exposed?
- Developer workstations that ran a fresh install.
- CI/CD pipelines that pulled the compromised versions during builds.
- Production deployments that did not use a pinned lockfile.
- Projects that depended on axios directly or indirectly, not just teams that added it by hand.
Why this npm supply chain compromise matters
This kind of attack reaches beyond the dev team. A compromised laptop or build server can expose API keys, cloud credentials, customer data paths, and deployment workflows. That is why early guidance focused on treating affected systems as potentially compromised and rotating secrets, not just uninstalling a package.
For startups in Boston or Cambridge, speed is often part of the advantage. So is trust. When a trusted package turns into a malware delivery method, leadership needs fast visibility, calm decision-making, and a plan that reaches endpoints, cloud systems, and vendors.
What your team should do right now
- See if you’re on an affected package: Search lockfiles and dependency trees for
axios@1.14.1, axios@0.30.4, and plain-crypto-js.
- Ensure you’re on a safe axios version: Pin to a known-good version and avoid the poisoned releases. Early incident guidance pointed teams to
1.14.0 or 0.30.3 as the last clearly known-good versions on those branches.
- Rotate credentials: Assume exposed systems may be compromised and rotate tokens, passwords, SSH keys, and other secrets tied to those machines.
- Check for IoCs locally and remotely: Review logs for suspicious outbound activity and hunt for indicators of compromise on developer endpoints and build infrastructure.
- Batten down the hatches: Tighten the process going forward by committing lockfiles, favoring deterministic installs in CI, and limiting install scripts where practical
Where Bay State IT’s cybersecurity services help
A strong response is not only about removing one bad package. It is about knowing which devices touched it, what credentials may have been exposed, and how to reduce the odds of the next incident.
Bay State IT’s cybersecurity services help businesses build that discipline. That can include reviewing endpoint exposure, tightening identity and credential practices, improving alerting, hardening cloud and development workflows, and creating a response plan that does not start from scratch when something urgent happens. For companies with lean internal teams, outside support can turn a confusing alert into a clear set of next steps.
The larger lesson from this npm axios supply chain compromise
This is on of many vulnerabilities that has occurred with npm within recent months. These incidents are a reminder that trusted software can still become a threat when an account, token, or publishing workflow is compromised. The right response is not panic. It is visibility, speed, and disciplined cybersecurity operations.
Need help reviewing exposure, strengthening your software supply chain controls, or preparing for the next incident? Reach out to Bay State IT, our team is happy to help.
