Axios Npm Supply-Chain Compromise Via Malicious Dependency

Issue 90 Edition 2026-03-31 5 min read

General

Sources: 1 • Confidence: High • Updated: 2026-04-01 03:38

Key takeaways

Axios versions 1.14.1 and 0.30.4 introduced a new dependency named plain-crypto-js.
The malware packages were published to npm without an accompanying GitHub release.
Using npm trusted publishing would restrict npm publishing so that only the Axios GitHub Actions workflows can publish releases.
The npm package plain-crypto-js was newly published malware that stole credentials and installed a remote access trojan (RAT).
The npm package Axios (an HTTP client) was targeted in a supply chain attack.

Axios versions 1.14.1 and 0.30.4 introduced a new dependency named plain-crypto-js.
The npm package plain-crypto-js was newly published malware that stole credentials and installed a remote access trojan (RAT).
The npm package Axios (an HTTP client) was targeted in a supply chain attack.

The malware packages were published to npm without an accompanying GitHub release.
A similar pattern of npm publication without an accompanying GitHub release was observed in the LiteLLM incident the prior week.

Using npm trusted publishing would restrict npm publishing so that only the Axios GitHub Actions workflows can publish releases.
Unauthorized publication of the malicious Axios versions may have been enabled by a leaked long-lived npm token.

Were Axios versions 1.14.1 and 0.30.4 widely installed in production environments before detection/remediation, and what was the actual blast radius?
What definitive evidence (e.g., npm audit logs, publisher identity, IP history) confirms or refutes the leaked long-lived token hypothesis?
What specific indicators of compromise (IOCs) and command-and-control behaviors were associated with plain-crypto-js, and how should defenders detect them?
What exact timeline (publish time, discovery time, removal/revocation time) applies to the malicious Axios versions and the plain-crypto-js package?
How reliable is the 'npm publish without GitHub release' heuristic across many packages (false positives/false negatives), beyond Axios and LiteLLM?

Renewed demand for software supply chain security controls focused on npm publishing and dependency monitoring, since a widely used JavaScript library release added a malicious dependency delivering credential theft and a RAT.
Increased attention to tooling or processes that compare npm publish events to GitHub releases as an anomaly heuristic, based on the mismatch noted in this incident and another recent one.
Greater adoption pressure for npm trusted publishing to reduce long lived token risk, since a leaked token is cited as a plausible root cause and trusted publishing would restrict who can publish.

Independent reporting or official disclosures that Axios 1.14.1 and 0.30.4 were widely deployed before remediation, indicating material blast radius and elevating priority for supply chain defenses.
Publication of a clear timeline and audit evidence covering npm publish, discovery, and token revocation, plus any confirmation of whether a long lived token was compromised.
Release of specific IOCs and described command and control behavior for plain-crypto-js that enables defenders to build detections, reinforcing the need for monitoring and incident response tooling.

Evidence that affected Axios versions had minimal real world installation or were quickly removed before meaningful exposure, reducing urgency and spend for new controls.
Conclusive proof that no publishing credentials were compromised and that process controls like trusted publishing would not have prevented the event, weakening the control adoption narrative.
Findings that the npm publish without GitHub release heuristic produces high false positives or misses major incidents, limiting its usefulness as a monitoring approach.