Attack on axios software developer tool threatens widespread compromises | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/axios-software-developer-tool-attack-compromise\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Attack on axios software developer tool threatens widespread compromises\"> <meta property=\"og:description\" content=\"Researchers at numerous firms are sounding warnings about the supply-chain attack on an open-source project with 100 million weekly downloads.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/axios-software-developer-tool-attack-compromise\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-03-31T16:25:52+00:00\"> <meta property=\"article:modified_time\" content=\"2026-03-31T16:25:54+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg\"> <meta property=\"og:image:width\" content=\"2309\"> <meta property=\"og:image:height\" content=\"1299\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1774626878g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1774625888g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1773271249g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88453\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88453\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Faxios-software-developer-tool-attack-compromise%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Faxios-software-developer-tool-attack-compromise%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88453 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/axios-software-developer-tool-attack-compromise\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.356179775281\">\n<div class=\"single-article__header-content\" readability=\"33.902325581395\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/axios-software-developer-tool-attack-compromise\/\"> <span>Ransomware<\/span> <\/a> <\/li>\n<\/ul>\n<p> Researchers at numerous firms are sounding warnings about the supply-chain attack on an open-source project with 100 million weekly downloads. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88453\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg 2309w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/attack-on-axios-software-developer-tool-threatens-widespread-compromises-1.jpg?resize=1498,843 1498w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"45.746600055509\"><body readability=\"92.398745008557\"><\/p>\n<p>A hacker briefly delivered malware this week through a popular open-source project for software developers that has an estimated 100 million weekly downloads, raising the possibility of compromises spreading widely through a supply-chain attack.<\/p>\n<p>Axios is a JavaScript client library used in web requests. The unknown attacker hijacked the npm account \u2014 npm being a package manager for JavaScript \u2014 of the lead axios maintainer, and then published malicious versions of axios with remote access trojans to npm. That happened on Sunday night going into Monday morning, cybersecurity firm <a href=\"https:\/\/www.huntress.com\/blog\/supply-chain-compromise-axios-npm-package\">Huntress<\/a> said, before the poisoned versions were pulled.<\/p>\n<p><a href=\"https:\/\/www.aikido.dev\/blog\/axios-npm-compromised-maintainer-hijacked-rat\">Aikido<\/a>, another security firm, called it \u201cone of the most impactful npm supply chain attacks on record.\u201d Researchers at a large number of cyber companies have sounded alarms about the attack, including <a href=\"https:\/\/www.stepsecurity.io\/blog\/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan\">Step Security<\/a>, <a href=\"https:\/\/socket.dev\/blog\/axios-npm-package-compromised\">Socket<\/a>,<a href=\"https:\/\/www.endorlabs.com\/learn\/npm-axios-compromise\"> Endor Labs<\/a> and others.<\/p>\n<p>According to Step Security, the malicious \u201caxios@1.14.1\u201d and \u201caxios@0.30.4\u201d versions inject a new software dependency, plain-crypto-js@4.2.1, that acts as a loader for the malware. It targets MacOS, Windows and Linux devices.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>But, while the researchers describe it as malware, they note that \u201cthere are zero lines of malicious code inside axios itself.\u201d Rather, the software is simply functioning as designed \u2014 or redesigned.<\/p>\n<p>\u201cBoth poisoned releases inject a fake dependency\u2026 never imported anywhere in the axios source, whose sole purpose is to run a [post installation] script that deploys a cross-platform remote access trojan,\u201d wrote Ashish Kurmi, chief technology officer and founder of Step Security.<\/p>\n<p>Feross Aboukhadijeh, CEO and founder of Socket, called the situation \u201ca live compromise\u201d with a wide potential blast radius.<\/p>\n<p>\u201cThis is textbook supply chain installer malware,\u201d Aboukhadijeh <a href=\"https:\/\/x.com\/feross\/status\/2038807290422370479\">wrote on X Monday evening<\/a>, adding about the malicious versions that \u201cEvery npm install pulling the latest version is potentially compromised right now.\u201d<\/p>\n<p>The software package pulled in by the malicious versions of axios has embedded payloads that evade static cybersecurity analysis methods and confound human reviewers, and deletes and renames artifacts to destroy forensic evidence.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Aboukhadijeh gave blunt advice for anyone who had downloaded or used axios in the past week at least.<\/p>\n<p>\u201cIf you use axios, pin your version immediately and audit your lockfiles,\u201d he wrote. \u201cDo not upgrade.\u201d<\/p>\n<p>Kurmi described the attack as \u201cprecision,\u201d noting that the malicious dependency was staged less than 24 hours in advance and both malicious versions were poisoned within the same hour. <\/p>\n<p>Given the timeframe during which the malicious axios versions were online, that could translate into approximately 600,000 downloads, said Joshua Wright, SANS Institute faculty fellow and senior technical director at Counter Hack Innovations. <\/p>\n<p>\u201cThat\u2019s a large number of compromises, and as soon as you install the software, it scrapes access credentials, and so now threat actors could pivot to AWS, other GitHub packages through scraped GitHub keys, and that\u2019s the part that\u2019s really difficult to articulate,\u201d he told CyberScoop, warning that the fallout could stretch for weeks. \u201cWe\u2019re going to see more and more stories about people that realize they\u2019ve gotten breached, as today they\u2019re trying to figure out what the impact is of that.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The attack follows closely on the heels of other cases of <a href=\"https:\/\/www.theregister.com\/2026\/03\/30\/telnyx_pypi_supply_chain_attack_litellm\/\">developer-oriented targeting<\/a>.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"0.61458333333333\">\n<div class=\"author-card\" readability=\"7\">\n<p><h4 class=\"author-card__name\">Written by Tim Starks and Derek B. Johnson<\/h4>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/axios-software-developer-tool-attack-compromise\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attack on axios software developer tool threatens widespread compromises |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1399,168,46,1866],"tags":[1405,169,54,1868],"class_list":["post-8478","post","type-post","status-publish","format-standard","hentry","category-javascript","category-malware","category-ransomware","category-supply-chain-attacks","tag-javascript","tag-malware","tag-ransomware","tag-supply-chain-attacks"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/javascript\/\" rel=\"category tag\">JavaScript<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/supply-chain-attacks\/\" rel=\"category tag\">supply chain attacks<\/a>","tag_info":"supply chain attacks","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8478"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8478\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8478,"date":"2026-03-31T11:25:52","date_gmt":"2026-03-31T16:25:52","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88453"},"modified":"2026-03-31T11:25:52","modified_gmt":"2026-03-31T16:25:52","slug":"attack-on-axios-software-developer-tool-threatens-widespread-compromises","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/03\/31\/attack-on-axios-software-developer-tool-threatens-widespread-compromises\/","title":{"rendered":"Attack on axios software developer tool threatens widespread compromises"},"content":{"rendered":"