Axios npm Supply Chain Attack: 101M Weekly Downloads Hit

The npm package Axios — downloaded 101 million times every week and embedded in countless JavaScript apps worldwide — was silently poisoned on April 1, 2026. Two versions (1.14.1 and 0.30.4) were injected with credential-stealing malware (software that copies your passwords and sends them to attackers) through a leaked deployment token. This is the second major supply chain attack in a single week: the exact same attack signature hit the LiteLLM Python library just days prior.

If your project installed either compromised version — especially inside an automated build system — treat every password and API key that machine had access to as potentially stolen.

How the npm Supply Chain Attack Compromised 101 Million Downloads

Axios is the go-to HTTP client for JavaScript (the library most web apps use to fetch data from a server or external API). With 101 million weekly downloads, it ranks among the top 10 most-downloaded packages on the entire npm registry (npm stands for Node Package Manager — think of it as the app store for JavaScript code that developers install into their projects).

The attacker didn't break into Axios's GitHub repository. Instead, they used a leaked long-lived npm token — a permanent password-equivalent that grants unlimited rights to publish new package versions — to push two malicious updates directly to the registry:

• Version 1.14.1 — presented as a routine minor patch (the kind automated build systems accept without human review)
• Version 0.30.4 — targeting developers still pinned to the older 0.x branch

Both versions silently added a hidden dependency named plain-crypto-js. The name mimics a legitimate cryptography utility — exactly what you'd expect to find in a security-adjacent library. That camouflage was intentional.

The npm Detection Signal That Exposed the Supply Chain Attack

Security researchers at Socket.dev caught the attack through a now-familiar fingerprint: the compromised Axios versions appeared on npm with no corresponding GitHub release.

In any legitimate open-source release, a new npm version is always paired with a tagged GitHub commit, a changelog entry, and often CI logs (automated records from the system that builds and tests code before publishing). Attackers who bypass the normal developer workflow skip all of this. The package exists on npm — but the GitHub source code doesn't reflect it.

This was the exact same detection signal in the LiteLLM Python package attack the previous week. Two attacks, two ecosystems, same method, 7 days apart. Security researchers now believe this is a repeatable playbook: find high-download packages with stolen long-lived tokens, publish malware, leave no GitHub trail.

Package	Weekly Downloads	Attack Method	Detection Signal
Axios (JavaScript)	101 million	Leaked npm token	No GitHub release
LiteLLM (Python)	Not disclosed	Similar supply chain	No GitHub release

What plain-crypto-js Does Once It's Running

The malicious payload pursues two objectives simultaneously from the moment it executes:

• Credential harvesting: Scans the local environment for stored tokens, API keys, session cookies, database passwords, and .env files (plain text files that developers use to store passwords separately from their code). These are exfiltrated — silently copied and sent — to attacker-controlled servers.
• Remote access trojan (RAT): Establishes a persistent backdoor, meaning a hidden connection that lets attackers log back into your machine later — even after the malicious package version has been removed — if the infection ran during the exposure window.

For developers with CI/CD pipelines (automated systems that build, test, and deploy code to production servers), the blast radius is severe. These systems typically hold cloud credentials (AWS keys, GitHub tokens), database connection strings, and deployment passwords. Any machine that installed the compromised Axios version may have silently surrendered all of that.

3-Step Triage: Check Your Projects Right Now

The attack is version-specific. Here's how to check and respond:

# Step 1: Check your installed Axios version
cat package-lock.json | grep -A 3 '"axios"'
# Yarn users:
grep "axios@" yarn.lock

# COMPROMISED — do not use:
# axios@1.14.1
# axios@0.30.4

# Step 2: Upgrade immediately if compromised
npm install axios@latest

# Step 3: If the compromised version ran inside CI/CD,
# rotate ALL credentials that build system had access to:
# - npm publish tokens
# - Cloud provider keys (AWS, GCP, Azure)
# - Database passwords
# - GitHub Personal Access Tokens
# - Any API key stored in environment variables

Step 3 is non-negotiable if your automated build system was affected. Updating the package does not undo a credential theft. A stolen-but-unchanged password is still a stolen password.

The Structural Fix: Trusted Publishing Eliminates the Root Cause

The Axios maintainers' formal recommendation goes beyond patching this incident — it targets the underlying vulnerability: replace long-lived npm tokens with trusted publishing via GitHub Actions.

A long-lived token is a permanent credential with no expiry date. If it leaks — through a phishing email, a compromised developer laptop, or an accidentally committed .env file — an attacker has unlimited publish access until someone manually revokes it. In practice, these tokens are often forgotten entirely.

Trusted publishing generates a short-lived token for each specific publish event, valid only during that 2-minute CI workflow run. There's no permanent secret to steal:

# .github/workflows/publish.yml — trusted publishing setup
name: Publish to npm
on:
  push:
    tags:
      - 'v*'           # Only triggers on version tags (e.g. v1.14.2)
permissions:
  id-token: write      # Enables short-lived OIDC token generation
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

The --provenance flag creates a cryptographic signature (a tamper-evident seal) that links the published npm package to the exact GitHub commit that produced it. Any package pushed outside this workflow lacks the seal — making the attack detectable automatically, not just by alert researchers manually watching for missing release tags.

Two npm Supply Chain Attacks in One Week: Open-Source Trust Is Being Tested

Two supply chain attacks, 7 days apart, targeting JavaScript and Python ecosystems with identical methods — this is not coincidence. It's an emerging playbook that exploits the gap between who appears to have published a package and who actually had the keys to do it.

The open-source model depends entirely on that trust being intact. Axios has 101 million weekly downloads because developers trust that the code published to npm matches what's reviewed on GitHub. Long-lived tokens break that assumption silently — no breach notification, no audit trail, no warning to downstream users.

Georgi Gerganov, creator of the llama.cpp local AI inference engine, recently described a parallel fragility in AI model deployment: "There is a long chain of components that are not only fragile — they are also developed by different parties." The Axios attack is that same principle applied to package registries: 1 compromised link in a chain of 100 dependencies is enough to expose every system downstream.

"Good code is cheaper to generate and maintain. Competition is high between the AI models right now, and the ones that win will help developers ship reliable features fastest, which requires simple, maintainable code. Good code will prevail — not only because we want it to, but because economic forces demand it."

— Soohoon Choi, Greptile — on why AI code quality will self-correct through market pressure

That economic logic assumes the delivery infrastructure is trustworthy. If you want to stay ahead of this pattern, set up automated supply chain scanning on your projects today, and read our trusted publishing setup guide to close this vulnerability on any packages you maintain. The window between a leaked token and a caught attack is now measured in hours — manual vigilance alone won't cut it.

Related Content — Get Started | Guides | More News