The widely used Axios HTTP client library, a JavaScript component used by developers, was recently hacked to distribute malware via a compromised account.

Attackers exploited a hijacked account on npm, a default package manager for Node.js, a tool that allows developers to share, install and manage Javascript project code to distribute the malicious software.

According to security researchers at Step Security Inc., the attack affected two packages and installed a remote access trojan, or RAT, which allows a third party to take control of a computer. The software could take control of Windows, macOS and Linux operating systems.

“This was not opportunistic. It was precision,” Step Security co-founder and Chief Technology Officer Ashish Kurmi said. “The malicious dependency was staged 18 hours in advance. Three payloads were prebuilt for three operating systems. Both release branches were poisoned within 39 minutes of each other. Every artifact was designed to self-destruct.”

Axios is an extremely popular library that sees almost 300 million downloads every week. Developers rely on it to exchange requests between applications and web services. It’s used in everything from front-end apps to back-end systems, making it ubiquitous.

According to researchers, attackers began their attack on March 30 after compromising the primary Axios maintainer, “jasonsaayman,” which allowed them to bypass the main security checks on GitHub. The attackers then swapped the email attached to the library with an anonymous Proton Mail address under their control.

“There are zero lines of malicious code inside Axios itself, and that’s exactly what makes this attack so dangerous,” Kurmi added.

Instead of being the malicious payload, Axios becomes an installer that deletes itself. On MacOS it camouflages itself as a system daemon; on Windows, part of PowerShell; and on Linux it uses a Python script backdoor.

Although the compromise was discovered quickly, it was not quick enough to prevent developers from downloading the infected libraries. Security professionals are urging developers to take swift action to check and update their current versions – and handle security if they are compromised.

“We are already seeing active exploitation,” Huntress Labs Inc. Senior Principal Security Researcher John Hammond told SiliconANGLE. “Any environment that installed axios@1.14.1 or axios@0.30.4 should be treated as compromised. Organizations must immediately audit their dependencies, downgrade to verified safe versions, rotate all credentials accessible during installation and scan for malware artifacts specific to each operating system.”

The compromise of Axios represents what cybersecurity researchers call a “supply chain attack.” These profoundly insidious attacks happen when hostile parties target less-than-secure third-party vendors, suppliers or software dependencies instead of trying to hit a well-defended target, such as this case where attackers inject malicious code into trusted software or updates.

A report from Cybersecurity Ventures estimated that supply chain attacks cost businesses almost $60 billion in 2025 and predicted that number could rise to about $138 billion by 2031. 

Image: Pixabay