April 2, 2026
npm install: plot twist
Post Mortem: axios NPM supply chain compromise
Axios turned into a 3-hour booby trap — devs fume at npm and demand guardrails
TLDR: Two malicious Axios updates briefly installed a backdoor before the community flagged it and npm pulled the plug. Commenters are split between “this is on npm, add better safeguards” and “nothing stops owner account takeovers,” with extra chatter about safer publishing (OIDC) and what the malware actually did.
In a plot twist no one ordered, two fresh Axios releases briefly shipped a hidden “remote access trojan” (a sneaky backdoor) after the lead maintainer’s PC got compromised via social engineering. The attacker even used the maintainer’s account to delete early warning issues — until collaborator DigitalBrainJS blew the whistle and paged npm. The bad versions were live for about three hours before being purged, but the fallout lit up comment sections.
The vibe? Equal parts rage and doom. One camp is pointing at npm, with users calling for better automated scanning and saying there’s been an “incredible uptick” in supply-chain hits. Another camp shrugs grimly: if the owner’s account is hijacked, “you’re basically SOL.” Meanwhile, curious minds ask if the new plan — using OIDC (a safer sign-in flow for bots) and “immutable releases” (harder-to-tamper publish rules) — would have blocked this, and whether the payload was a quick data grab or a deeper, lurking nightmare.
The memes are spicy: “npm install trojan —save,” “April Fools came early,” and “rotate ALL the secrets.” Behind the jokes, the advice is dead serious: downgrade, delete the planted dependency, rotate every token, and scan for traffic to the attacker’s server. The community both saved the day and demanded better locks on the door — loudly.
Key Points
- •Two malicious Axios versions (1.14.1 and 0.30.4) were published to npm via a compromised maintainer account and were live for about three hours.
- •The payload injected plain-crypto-js@4.2.1, which installed a RAT on macOS, Windows, and Linux.
- •Remediation guidance includes downgrading Axios, deleting node_modules/plain-crypto-js/, rotating all secrets, and checking for connections to specified IoCs.
- •Attackers gained access through targeted social engineering and RAT malware on the lead maintainer’s PC; devices are being wiped and credentials reset.
- •Timeline shows rapid community detection, a PR by a collaborator to deprecate versions, and removal of malicious packages by 03:29 UTC on March 31; planned changes include OIDC-based publishing and immutable releases.