The Axios Supply Chain Attack: How a "Phantom Dependency" Compromised Millions

On March 31, 2026, the software development and Web3 communities were hit by one of the most severe supply chain attacks in recent history. Axios, an incredibly popular JavaScript HTTP client with an estimated 100 million to over 300 million weekly downloads, was compromised. Threat actors injected a malicious dependency that delivered a cross-platform Remote Access Trojan (RAT) directly to developer workstations, CI/CD runners, and enterprise servers. When the attack first happened, Axios maintainers were unable to regain control of the project. In a public GitHub issue, a collaborator stated they could not revoke access from the account responsible for the malicious publish, noting that the attacker’s permissions exceed their own. This incident stands out not just for its massive blast radius, but for the sophisticated techniques the attackers used to bypass modern CI/CD safeguards, evade forensic detection, and exploit modern AI-assisted development habits. Account Hijack and Bypass