The Axios Supply Chain Attack Explained: How a Compromised npm Account Put 83 Million Projects at Risk

TLDR: On March 31, 2026, between 00:21 and 03:29 UTC, two malicious versions of Axios — 1.14.1 and 0.30.4 — were published to npm via a compromised maintainer account. They silently installed a cross-platform remote access trojan (RAT) on any machine that ran npm install during that window. The malware targeted macOS, Windows, and Linux, contacted a live command-and-control server, self-deleted its own traces after execution, and established persistence. Axios has 83 million weekly downloads. If your CI/CD pipeline ran without a pinned version during those three hours, check your system now. The Package Everyone Trusts If you've written JavaScript in the last decade — frontend or backend — you've almost certainly used Axios. It's the HTTP client. The one that just works. It sits in millions of package.json files across the world as a dependency so standard it's rarely thought about. Which is exactly why it was targeted. On the night of March 30–31, 2026, an attacker who had obtained th