Supply Chain Compromise of Axios NPM Packages Injects Remote Access Trojan via Malicious Dependency

Supply Chain Compromise of Axios NPM Packages Injects Remote Access Trojan via Malicious Dependency

What Happened – On March 31 2026 two compromised versions of the popular Axios HTTP client (axios@1.14.1 and axios@0.30.4) were published to npm. The packages bundled a malicious dependency, plain‑crypto‑js@4.2.1, which downloads multi‑stage payloads and installs a remote‑access trojan on any system that runs npm install or npm update.

Why It Matters for TPRM –

• Third‑party libraries are a common attack surface; a compromised dependency can compromise the entire software supply chain.
• Credential stores, CI/CD secrets, and cloud keys are at risk when malicious code runs on developer machines or build pipelines.
• The incident demonstrates the need for continuous monitoring of open‑source components and strict version‑pinning policies.

Who Is Affected – Organizations that develop or deploy JavaScript/Node.js applications, especially those in Technology/SaaS, Financial Services, Healthcare, and any sector that relies on npm packages.

Recommended Actions –

• Scan code repositories, CI/CD pipelines, and developer workstations for the affected Axios versions.
• Revert to safe releases (axios@1.14.0 or axios@0.30.3) and delete the plain-crypto-js directory.
• Rotate all potentially exposed credentials (VCS tokens, CI/CD secrets, cloud keys, npm tokens, SSH keys).
• Harden npm configurations (ignore‑scripts=true, min‑release‑age=7) and enforce MFA for developer accounts.

Technical Notes – The attack vector was a third‑party dependency injection via the npm registry. No public CVE was assigned, but the malicious package executed a remote‑access trojan and could exfiltrate credentials. Source: CISA Advisory – Supply Chain Compromise Impacts Axios Node Package Manager