axios Got Hijacked Today: A Technical Breakdown of the Most Sophisticated npm Supply Chain Attack Yet

If you use axios — and statistically, you do — you need to read this. On March 31, 2026, two malicious versions of axios were published to npm: 1.14.1 and 0.30.4 . The attacker hijacked a lead maintainer's npm account, injected a hidden dependency that deploys a cross-platform RAT, and designed the entire payload to self-destruct after execution. The malicious versions were live for roughly 3 hours before npm pulled them. This isn't a typosquat. This isn't a random package nobody uses. This is axios — 100M+ weekly downloads, present in virtually every Node.js project that touches HTTP. What happened The attacker compromised the npm account of jasonsaayman , the primary axios maintainer. They changed the account email to an anonymous ProtonMail address ( ifstap@proton.me ) and published the poisoned packages manually via npm CLI , completely bypassing the project's GitHub Actions CI/CD pipeline. The key forensic signal: every legitimate axios 1.x release is published via GitHub Actions