Axios Hack Bypasses GitHub Protections and Installs Hidden Malware on Systems

The popular JavaScript HTTP client Axios has been compromised in a supply chain attack, exposing projects to malware through malicious npm releases. Security researchers from StepSecurity identified the issue, warning that the impact could be widespread given that Axios exceeds 80 million weekly downloads.

The attack centers on two specific versions of the library that were published with hidden malicious code.

Compromised Versions and Attack Method

The affected releases are [email protected] and [email protected]. Researchers believe attackers gained access to a maintainer’s npm credentials, changed account details, and pushed altered packages directly to the registry.

Because the attacker operated through a legitimate account, the malicious versions bypassed typical safeguards, including GitHub Actions pipelines and signing protections. This made the packages appear trustworthy and allowed them to propagate quickly across projects.

Malware Hidden Inside a Fake Dependency

The compromised packages introduced a dependency called [email protected], which does not belong to the official Axios codebase. Its sole purpose was to deliver malware.

Once installed, the dependency triggers a postinstall script that runs automatically. It acts as a cross-platform Remote Access Trojan dropper, capable of connecting to a command-and-control server and executing instructions remotely. The payload targets Windows, macOS, and Linux systems and attempts to remove traces after execution to avoid detection.

Researchers also noted that the malicious code uses obfuscation techniques, including encoded strings that are decoded at runtime using an XOR-based method.

How to Check If You Are Affected

Developers can verify exposure by checking the installed Axios version and looking for signs of the injected dependency.

npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"

If the project includes one of the compromised versions, the next step involves checking whether the malicious package exists:

ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"

On Linux systems, an additional indicator of compromise may appear as a suspicious file:

ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED"

Mitigation and Cleanup

Developers should immediately downgrade Axios to a safe version, such as 1.14.0 or 0.30.3, depending on the branch in use.

To prevent the compromised versions from being installed again, npm supports an overrides feature that forces a specific version across all dependencies. Adding this to package.json ensures that even indirect dependencies cannot pull in a malicious release:

"overrides": {
  "axios": "1.14.0"
}

After locking the version, cleaning the environment remains critical. Removing the malicious dependency and reinstalling packages with scripts disabled reduces the risk of executing hidden payloads:

npm install --ignore-scripts

Any system that has installed the compromised versions should be treated as potentially breached. That means rotating all sensitive credentials, including npm tokens, cloud keys, SSH keys, and environment secrets.

For CI/CD pipelines, switching to commands that ignore install scripts adds an extra layer of protection against similar attacks in the future.

Growing Threat to the Open-Source Ecosystem

This incident reflects a broader pattern of attacks targeting developers through trusted tools and dependencies. Recent campaigns have used fake VS Code alerts on GitHub to distribute malware, while other actors have focused on browser exploits and remote access vulnerabilities.

By targeting widely used packages like Axios, attackers maximize reach with minimal effort. The event reinforces the need for stricter dependency controls and continuous monitoring across development environments.

The Axios compromise shows how a single breached maintainer account can cascade into a large-scale supply chain attack. Affected versions should be removed immediately, environments should be cleaned, and all credentials should be rotated.

Using npm overrides to lock safe versions adds an important safeguard against accidental reinstallation of compromised packages.

Via Neowin