What the Axios Supply Chain Attack Revealed About Lockfiles and pnpm 10

In late March 2026, one of the most widely used JavaScript libraries in the world, Axios, was at the center of a serious supply chain attack. Let’s break down what happened, why it matters, and what you can do to better protect your applications. Summary of the attack On March 31, 2026 , attackers compromised an Axios maintainer’s npm account and published two malicious versions: axios@1.14.1 axios@0.30.4 These versions looked legitimate but included a hidden dependency ( plain-crypto-js ) that executed a malicious script during install. When a developer or CI system ran npm install axios@1.14.1 , npm resolved the dependency tree, pulled in the malicious package, and automatically executed its postinstall script. This script downloaded a cross-platform (macOS, Linux, and Windows) Remote Access Trojan (RAT), giving attackers remote access to the machine, the ability to execute commands, and access to sensitive data. It also cleaned up traces afterward to avoid detection. The malicious v