Key moments
On March 31, 2026, the widely used Axios npm package was compromised during a significant supply chain attack. This incident raised alarms across the software development community, as Axios boasts approximately 300 million weekly downloads, making it a critical component in many projects.
The attack was executed between 00:21 and 03:30 UTC, during which malicious versions of Axios, specifically [email protected] and [email protected], were published using a compromised maintainer account. These versions included a dependency on [email protected], which contained a postinstall script that acted as a Remote Access Trojan (RAT), allowing unauthorized access to affected systems.
For about three hours, the malicious versions of Axios were available for download before being swiftly removed by npm. During this time, it is estimated that around 100 million weekly downloads of the affected packages could have potentially exposed numerous developer workstations and CI/CD pipelines to the malicious payload.
The impact of this attack is still being assessed, with uncertainties surrounding the exact number of systems affected and the full extent of the attack’s impact on downstream dependencies. Developers are advised to delay new package installations for at least 72 hours to ensure their systems are secure.
This incident follows a growing trend of attackers targeting software supply chains through indirect dependency injection. Ilkka Turunen, a security expert, commented on the situation, stating, “Attackers have figured out they don’t need to compromise the code people trust if they can compromise the trust around it.” This highlights a critical vulnerability in the software supply chain, where trust is paramount.
Turunen further emphasized the gravity of the situation, noting, “When a widely trusted package can be turned into a delivery path like this, the issue is bigger than package hygiene. It’s a trust problem in the software supply chain.” This underscores the need for enhanced security measures and vigilance in the development community.
As developers and organizations continue to navigate the aftermath of this attack, the focus remains on strengthening security protocols and ensuring that similar incidents do not occur in the future. Details remain unconfirmed regarding the full scope of the damage and the number of systems compromised, but the ramifications of this attack will likely be felt for some time.
