axios Got Hacked. If You Ran npm install Yesterday, Read This Now.

axios. The HTTP client thats in basically every JavaScript project on earth. 100 million weekly downloads. Present in roughly 80% of cloud environments according to Wiz. And as of yesterday, two of its versions were shipping a remote access trojan. This isnt a theoretical vulnerability. This is a full supply chain compromise. If you ran npm install between approximately 00:21 and 03:15 UTC on March 31, 2026, and your dependency tree pulled axios@1.14.1 or axios@0.30.4 , a RAT was dropped on your machine. macOS, Windows, Linux. All three. What Happened StepSecurity identified the attack on March 30. The attacker compromised the npm account of jasonsaayman , the lead maintainer of the axios project. They changed the accounts email to ifstap@proton.me (an attacker-controlled ProtonMail address) and used the stolen credentials to publish two malicious versions. The critical detail: legitimate axios releases are published through GitHub Actions using OIDC trusted publishing. These malicious