A newly discovered software supply chain attack targeting the npm ecosystem briefly compromised one of the most widely used JavaScript libraries in the world.
With initial reporting by researchers at StepSecurity, the incident involved unauthorized publications of the popular HTTP client axios, published to npm and which sees over 300 million weekly downloads.
Between March 30-31, 2026, attackers hijacked an npm publishing account associated with an axios maintainer and released two malicious versions of the package:
Sonatype tracked both packages as sonatype-2026-001623.
Notably, neither version contained malicious code directly. Instead, both introduced a hidden dependency on a newly published package:
The naming and timing of this package suggest it was intentionally published to resemble a legitimate cryptography library, likely to confuse or deter researchers during our initial analysis.
Sonatype detected and flagged the packages as malicious within minutes, at 01:04 UTC on March 31, 2026. For organizations using Sonatype’s automated defenses, this rapid detection meant automatic protection, blocking downloads of the malicious components before they could reach developer environments.
npm has since removed the malicious axios versions and replaced plain-crypto-js with a security-holder stub.
Why Was Axios an Ideal Target?
Axios is one of the most widely used HTTP client libraries in the JavaScript ecosystem. By compromising axios, attackers gained:
-
Immediate access to a massive developer install base.
-
High trust due to axios’s reputation and ubiquity.
-
Automatic execution via dependency installation.
Because npm automatically installs and executes life cycle scripts of dependencies, simply installing the affected axios versions triggered the malicious payload. Each time either malicious axios (Read more...)
