Someone Backdoored axios on npm. Here is How to Check if You Were Hit

On March 31, 2026, two malicious versions of axios were published to npm: axios@1.14.1 and axios@0.30.4 . Both were live for roughly three hours before npm pulled them down. During that window, anyone who ran npm install axios could have had a Remote Access Trojan (RAT) dropped silently on their machine or CI runner, with no errors and no warnings. This post breaks down what happened, how the attack worked, and the exact commands to check if you were affected. What happened The attacker compromised the npm account of the primary axios maintainer. Using stolen credentials, they published two new releases across both the 1.x and 0.x branches within 39 minutes of each other. The account's registered email was quietly changed to an attacker-controlled ProtonMail address before the releases went out. Here is what makes this attack stand out: there is zero malicious code inside axios itself. Both releases simply added one new runtime dependency to package.json : a package called plain-crypto