Axios Was Compromised. Here’s What Laravel Developers Need to Check

Axios was compromised on npm on March 31, 2026. Here is what Laravel teams should check, who is actually at risk, and how to respond. A compromised npm release of Axios created real risk for Laravel apps that use modern frontend tooling. This was not a Laravel vulnerability. It was not a Composer incident. It was a JavaScript supply chain issue that could hit your local machine, CI runner, preview environment, or deploy process if that environment resolved the poisoned packages on March 31, 2026. The affected versions widely reported so far are axios@1.14.1 and axios@0.30.4 . Those releases pulled in plain-crypto-js@4.2.1 , a malicious dependency described in security writeups as a post-install malware path with cross-platform remote access trojan behavior. That distinction matters because this story is about package versions, not Laravel versions. What happened Early incident reporting from Socket and StepSecurity points to a compromised Axios maintainer account that was used to publi