news
Microsoft NPM Causes Security Catastrophes, Microsoft Transmits Malware to Sites and More
-
Scoop News Group ☛ Attack on axios software developer tool threatens widespread compromises [Ed: NPM is Microsoft, so Microsoft transmits malware]
Axios is a JavaScript client library used in web requests. The unknown attacker hijacked the npm account — npm being a package manager for JavaScript — of the lead axios maintainer, and then published malicious versions of axios with remote access trojans to npm. That happened on Sunday night going into Monday morning, cybersecurity firm Huntress said, before the poisoned versions were pulled.
-
Hacker News ☛ Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
-
Dark Reading ☛ Axios NPM Package Compromised in Precision Attack
The Axios JavaScript NPM package was recently compromised, representing one of the highest impact supply chain attacks against the open source development ecosystem in recent months.
Axios is the most popular JavaScript HTTP client library and is downloaded more than 400 million times per month on NPM. Software development security vendor StepSecurity identified and reported yesterday that two malicious versions had been published to NPM: [email protected] and [email protected].
-
Silicon Angle ☛ Hackers compromise popular Axios Javascript library with hidden malware
The widely used Axios HTTP client library, a JavaScript component used by developers, was recently hacked to distribute malware via a compromised account. Attackers exploited a hijacked account on npm, a default package manager for Node.js, a tool that allows developers to share, install and manage Javascript project code to distribute the malicious software. >
-
Step Security ☛ axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity
axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.
-
The Record ☛ Google links axios supply chain attack to North Korean group
On Monday evening, news emerged that hackers launched a supply chain attack targeting the HTTP client axios, which is downloaded 100 million times each week and embedded across frontend frameworks, backend services and enterprise applications.
Google Threat Intelligence Group (GTIG) joined several other researchers in attributing the attack to a North Korean threat actor they call UNC1069. SentinelOne found the same group using macOS-based malware in attacks dating back to 2023.
-
Cyble Inc ☛ Axios Supply Chain Attack Exposes Malicious Npm Packages
The attacker altered the account’s registered email to a ProtonMail address and used the npm CLI to publish the compromised packages. This bypassed the cryptographic protection typically enforced by trusted publishing workflows, making the malicious releases appear legitimate at first glance.
-
Simon Willison ☛ Supply Chain Attack on Axios Pulls Malicious Dependency from npm
Supply Chain Attack on Axios Pulls Malicious Dependency from npm (via) Useful writeup of today's supply chain attack against Axios, the HTTP client NPM package with 101 million weekly downloads. Versions 1.14.1 and 0.30.4 both included a new dependency called plain-crypto-js which was freshly published malware, stealing credentials and installing a remote access trojan (RAT).
-
Andrew Nesbitt ☛ npm’s Defaults Are Bad
Yesterday the axios package was compromised on npm. An attacker hijacked a maintainer account, published two malicious versions that bundled a remote access trojan through a staged dependency called plain-crypto-js, and the versions were live for two to three hours before npm pulled them. Axios gets 83 million weekly downloads. This keeps happening over and over and over and the post-incident conversation always goes the same way: was the maintainer using MFA, should the registry have caught it faster, should people be running more scanners. None of that gets at why JavaScript keeps having these incidents at a rate no other ecosystem comes close to matching. The npm client’s defaults actively enable the attacks and have done for years.
-
Silicon Angle ☛ Anthropic accidentally exposes Claude Code source code in npm packaging error
Anthropic PBC has accidently exposed the source code for its Claude Code command-line interface tool through a packaging error that led to the inclusion of sensitive files in a publicly distributed node package manager or npm release.