Axios Supply Chain Attack 2026: How to Check If You're Affected (And Fix It)
The Axios npm supply chain attack in March 2026 was not opportunistic. Security researchers at Halborn documented how attackers staged malicious versions 18 hours before publishing them, prepared three separate payloads for Windows, macOS, and Linux simultaneously, and ensured every trace would self-destruct after execution. The attackers compromised a long-lived npm access token belonging to the account managing the axios package, then published axios@1.14.1 and axios@0.30.4 within 39 minutes of each other. Google Threat Intelligence Group later attributed the attack to UNC1069, a North Korea-nexus threat actor.
If your project uses Axios, you need to audit your dependencies right now. This guide walks you through exactly how to check if you are affected and how to remediate if you are.
Understanding What Happened
Axios is one of the most widely used HTTP client libraries in the JavaScript ecosystem. It appears in frontend frameworks, backend services, and enterprise applications. More than 83 million people download it every single week. When attackers compromise a package this popular, the blast radius is enormous.
The malicious versions contained a remote access trojan designed to provide unauthorized system access to anyone who installed them. The sophistication of the attack suggests this was not a casual exploit but a targeted operation with clear objectives.
How to Check If You Are Affected
Auditing your dependencies is straightforward. You do not need specialist security knowledge. Open your terminal and run the following commands.
Step 1: Check Your Installed Versions
Run this command in your project root to see every installed version of axios:
npm ls axiosLook carefully at the output. The malicious versions are:
- axios@1.14.1
- axios@0.30.4
If you see either of these versions listed, you are affected and should treat your development environment as potentially compromised.
Step 2: Verify With Your Package Lock
Your package-lock.json or yarn.lock file records the exact versions installed. Open it and search for "axios". Check whether the resolved version matches either malicious version. This confirms whether the problematic package actually reached your node_modules.
Step 3: Check for plain-crypto-js
Researchers at Socradar identified that the attackers published plain-crypto-js@4.2.1 as a decoy package one day before the attack, updating it to contain the RAT the following day. Check if this package exists in your project:
npm ls plain-crypto-jsIf you see plain-crypto-js in your dependencies and you did not deliberately install it, treat this as an additional indicator of compromise.
Step 4: Audit Your npm Tokens
Go to your npm account settings and review your access tokens. Look for tokens with broad permissions, particularly any that can publish packages. The axios attack succeeded because a long-lived token with publishing access was compromised.
| Version | Status | Action Required |
|---|---|---|
| axios@1.14.1 | Malicious | Remove immediately |
| axios@0.30.4 | Malicious | Remove immediately |
| axios@1.14.0 | Safe | No action needed |
| axios@0.30.3 | Safe | No action needed |
| axios@1.6.0 and below | Safe | Consider updating for latest features |
Timeline of the Attack
Understanding when things happened helps you determine exposure windows.
Axios Vulnerability Timeline
The chart above shows the sequence of events. On March 29, the attackers published plain-crypto-js@4.2.1 as a seemingly legitimate package. On March 30, they updated it with malicious code. On the morning of March 31, they compromised the npm account. By that evening, the two malicious axios versions were live on npm.
How to Remediate If You Are Affected
If you discovered malicious versions in your project, you need to act in a specific order.
Step 1: Disconnect Compromised Systems
If you installed axios@1.14.1 or axios@0.30.4 on a machine with access to production systems, databases, or sensitive credentials, assume that access may have been exposed. Immediately revoke any active sessions, API keys, and tokens on that system. Change passwords for any services accessible from that machine.
Step 2: Remove the Malicious Package
Run the following commands to remove the compromised versions and reinstall safe versions:
npm uninstall axios
rm -rf node_modules
npm install axios@1.14.0Alternatively, for yarn users:
yarn remove axios
yarn add axios@1.14.0If you are using pnpm:
pnpm remove axios
pnpm add axios@1.14.0Step 3: Audit Your System for IOCs
Indicators of compromise include unexpected network connections, new scheduled tasks, or unusual processes running on your machine. Check your system's network connections for traffic to suspicious domains. The attackers used self-destructing payloads, which means forensic evidence may be limited, but it is worth reviewing your logs for anything unusual around March 31.
Step 4: Rotate All Secrets
Given the RAT was designed to provide unauthorized access, treat any credentials accessible from your development environment as potentially compromised. This includes database passwords, API keys, cloud credentials, and any secrets stored in environment variables on the affected machine.
Step 5: Review Plain-Crypto-JS Dependencies
Search your codebase for any references to plain-crypto-js or similar crypto utility packages you did not deliberately install. Remove any you find:
npm uninstall plain-crypto-jsPreventing Future Supply Chain Attacks
The axios attack was sophisticated, but there are practical steps you can take to reduce your exposure to supply chain vulnerabilities.
Lock Your Dependency Versions
Always commit your package-lock.json or yarn.lock file. These files lock your dependencies to specific versions, preventing automatic installation of newer releases that might be compromised. When you need to update, do it deliberately and review the changelog.
Use Npm Audit and Snyk
Run npm audit regularly as part of your development workflow:
npm auditConsider integrating Snyk or similar dependency scanning tools into your CI pipeline. These tools can automatically flag known vulnerabilities and malicious packages before they reach production.
Implement Token Scoping
When creating npm tokens for CI/CD pipelines, scope them to specific packages with limited permissions. Avoid generating tokens with broad package publishing access unless absolutely necessary. Regularly rotate your tokens and remove any that are no longer needed.
Pin GitHub Actions Versions
If you use GitHub Actions to install npm packages, pin your action versions to specific commits rather than using floating version tags. This prevents your CI pipeline from automatically pulling compromised actions.
Weekly Download Impact Analysis
The scale of the axios ecosystem means this attack had massive potential reach.
Axios dominates the HTTP client space with 83 million weekly downloads, more than six times its nearest competitor. This is why attackers target it. The bigger the package, the larger the potential victim pool.
What This Means for Your Business
Supply chain attacks are becoming more sophisticated. The axios incident followed similar patterns to the React2Shell vulnerability that rattled the developer community earlier in 2026. Attackers increasingly target shared infrastructure because compromising a single widely-used package gives them access to thousands of applications simultaneously.
If you are a business owner relying on web developers or agencies to manage your digital presence, this incident reinforces why you need partners who take dependency security seriously. At GOOBLR, we treat package auditing as part of our standard maintenance process. We do not just build websites and leave you exposed.
You can read more about why security vulnerabilities in web frameworks are handled effectively in our guide on React vulnerabilities in 2026. The pattern is consistent across the ecosystem: open source software is broadly safe, but individual incidents require rapid response.
Quick Reference: What to Do Right Now
If you only remember three things from this guide, make them these:
- Run npm ls axios and check you are not on versions 1.14.1 or 0.30.4
- If affected, remove the package immediately with npm uninstall axios, then reinstall the latest safe version
- Rotate any secrets or credentials that were accessible from your development environment since March 31, 2026
The axios team responded quickly once the compromise was identified. By April 1, the malicious versions had been removed from npm. But npm retains the package metadata, which means the malicious versions are still visible in historical data. If you pinned your dependencies to specific versions using your lock file, you would have been protected from automatically receiving the compromised release.
Security is not a one-time fix. It is an ongoing practice. Audit your dependencies regularly, keep your lock files committed and updated, and rotate tokens frequently. The attackers are patient and sophisticated. Your defenses need to match that level of attention.
If you are unsure whether your business systems were affected by this or any other supply chain vulnerability, get in touch with our team. We offer security audits as part of our ongoing maintenance packages, and we would rather spend an hour checking your systems than see you compromised.