Malicious Axios NPM Versions Deploy RAT via Supply Chain Attack, Threatening Millions of JavaScript Projects
What Happened — On March 31 2026, two compromised versions of the popular Axios npm package (v1.14.1 and v0.30.4) were published. The packages contained a malicious post‑install dependency that fetched and executed a platform‑specific remote‑access trojan on Linux, macOS, and Windows systems.
Why It Matters for TPRM —
- Supply‑chain compromise can cascade to any downstream application that consumes the library, amplifying risk across multiple business units.
- The delivered RAT exfiltrates credentials and enables further lateral movement, jeopardizing the confidentiality and integrity of third‑party data.
- Rapid adoption of open‑source components makes detection difficult; organizations must verify their software bill of materials (SBOM) and enforce strict version controls.
Who Is Affected — Technology SaaS providers, financial services platforms, e‑commerce sites, healthcare applications, and virtually any organization that incorporates JavaScript HTTP clients.
Recommended Actions —
- Immediately audit all environments for the malicious Axios versions and roll back to v1.14.0 or v0.30.3.
- Conduct a forensic review of any systems that installed the compromised packages for additional payloads or credential theft.
- Rotate all credentials that may have been exposed and enforce least‑privilege access controls.
- Strengthen SBOM governance and implement automated alerts for unexpected npm version changes.
Technical Notes — The attack leveraged a malicious runtime dependency (plain-crypto-js) that executed automatically during npm install. Payloads: a macOS binary (com.apple.act.mond), a Windows PowerShell script (wt.exe), and a Linux Python backdoor, all delivering a remote‑access trojan. Indicators of compromise include IP 142.11.206.73 and associated domains. Source: Cisco Talos Intelligence