Executive Summary
In late March 2026, attackers compromised the npm account of Axios's lead maintainer, publishing malicious versions 1.14.1 and 0.30.4 of the widely-used JavaScript HTTP client library. These versions included a hidden dependency, 'plain-crypto-js@4.2.1', which executed a post-install script to deploy a cross-platform Remote Access Trojan (RAT) targeting Windows, macOS, and Linux systems. The RAT connected to a command-and-control server to download platform-specific payloads, granting attackers remote control over infected machines. The malicious packages were available for approximately three hours before removal, during which they were downloaded and potentially installed by numerous developers and CI/CD pipelines. (microsoft.com)
This incident underscores the escalating threat of supply chain attacks, particularly those targeting widely-used open-source libraries. The rapid deployment and sophisticated nature of the attack highlight the need for enhanced security measures in software development pipelines, including stringent access controls, continuous monitoring, and prompt incident response capabilities. (infoq.com)
Why This Matters Now
The Axios supply chain attack exemplifies the increasing sophistication and frequency of threats targeting open-source ecosystems. As developers and organizations heavily rely on such libraries, ensuring the integrity of these components is paramount to prevent widespread compromise and maintain trust in software supply chains.
Attack Path Analysis
The attack began with the compromise of the Axios npm package maintainer's account, allowing the attacker to publish malicious versions of the library. These versions included a hidden dependency that executed a post-installation script to deploy a cross-platform remote access trojan (RAT) on systems where the package was installed. The RAT established command and control channels, enabling the attacker to execute arbitrary commands and exfiltrate sensitive data from compromised systems. The attack was detected and mitigated within a few hours, but the widespread use of Axios meant that numerous systems were potentially affected during that window.
Kill Chain Progression
Initial Compromise
Description
The attacker gained access to the Axios npm package maintainer's account and published malicious versions of the library.
Related CVEs
CVE-2026-40175
CVSS 9.8Malicious versions of the Axios npm package (1.14.1 and 0.30.4) included a trojan-laden dependency that executed a post-install script, deploying a cross-platform Remote Access Trojan (RAT) upon installation.
Affected Products:
Axios Axios npm package – 1.14.1, 0.30.4
Exploit Status:
exploited in the wildReferences:
https://www.tomshardware.com/tech-industry/cyber-security/axios-npm-package-compromised-in-supply-chain-attack-that-deployed-a-cross-platform-rathttps://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/https://www.infoq.com/news/2026/04/axios-supply-chain/
MITRE ATT&CK® Techniques
Compromise Software Dependencies and Development Tools
User Execution: Malicious Library
Command and Scripting Interpreter: JavaScript
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and firmware
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA ZTMM 2.0 – Implement Supply Chain Risk Management
Control ID: Supply Chain Security
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Supply chain attacks targeting JavaScript libraries directly threaten government systems using open-source frameworks, requiring AI-powered security operations for real-time detection.
Computer Software/Engineering
Axios compromise demonstrates critical vulnerability in JavaScript supply chains with 100M weekly downloads, necessitating enhanced egress security and anomaly detection capabilities.
Financial Services
Banking systems using compromised open-source packages face lateral movement risks and data exfiltration threats, requiring zero trust segmentation and encrypted traffic monitoring.
Information Technology/IT
IT infrastructure dependent on JavaScript frameworks vulnerable to nation-state supply chain attacks, demanding multicloud visibility and kubernetes security for container environments.
Sources
- Why the Axios attack proves AI is mandatory for supply chain securityhttps://cyberscoop.com/ai-powered-security-operations-axios-supply-chain-attack/Verified
- One of JavaScript's most popular libraries compromised by hackers - Axios npm package hit in supply chain attack that deployed a cross-platform RAThttps://www.tomshardware.com/tech-industry/cyber-security/axios-npm-package-compromised-in-supply-chain-attack-that-deployed-a-cross-platform-ratVerified
- Mitigating the Axios npm supply chain compromise | Microsoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/Verified
- Axios npm Package Compromised in Supply Chain Attack - InfoQhttps://www.infoq.com/news/2026/04/axios-supply-chain/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to deploy malicious packages may have been constrained by enforcing strict access controls and monitoring within the development environment.
Control: Zero Trust Segmentation
Mitigation: The execution of unauthorized scripts may have been limited by enforcing strict segmentation policies that restrict inter-process communications.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could have been restricted by enforcing east-west traffic controls that limit unauthorized inter-system communications.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and disrupted by maintaining comprehensive visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: The unauthorized data exfiltration could have been constrained by enforcing strict egress policies that monitor and control outbound data flows.
The overall impact of the attack could have been reduced by limiting the blast radius through strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- Application Security
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive credentials, including cloud access keys, database passwords, and API tokens.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit the blast radius of potential supply chain attacks.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to malicious activities promptly.
- • Utilize Multicloud Visibility & Control to monitor and manage security across diverse cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Regularly audit and secure developer accounts and package repositories to prevent unauthorized access.
