If you’ve been using Axios for a while, this one might feel a bit uncomfortable.
A few days back, something weird happened. Not a bug. Not a breaking change.
A full-blown supply chain attack.
What actually happened?
On March 31, 2026, attackers managed to get access to an Axios maintainer’s npm account. (GitHub)
Then they did something very simple (and very dangerous):
They published two new versions:
At first glance, everything looked normal. No suspicious code changes. No red flags.
But under the hood?
They quietly added a dependency:
plain-crypto-js
And that’s where things go downhill.
The scary part
This wasn’t just a harmless package.
It was designed to install a remote access trojan (RAT) on your system. (Datadog Security Labs)
Meaning:
- It could run on Mac, Windows, Linux
- It could connect to a remote server
- It could potentially give attackers access to your machine
And the worst part?
It runs during npm install.
So yeah… just installing dependencies was enough.
“But I didn’t update Axios…”
You might still be affected.
If your project:
- didn’t pin versions properly
- or ran a fresh install during that ~3 hour window
…it could have pulled the compromised version automatically. (Datadog Security Labs)
That’s the nature of supply chain attacks.
They don’t knock on the door. They just… walk in.
Why this one hits differently
What makes this incident interesting (and a bit scary):
- No change in actual Axios source code
- Only
package.json was modified
- Malicious dependency wasn’t even used anywhere
Basically:
Everything looked clean… but wasn’t.
That’s some next-level subtlety.
Quick checklist (just in case)
If you want to sleep peacefully tonight:
My personal takeaway
This wasn’t about Axios being “bad”.
This was about:
- trust
- ecosystem scale
- and how fragile open-source pipelines can be
Axios has 100M+ weekly downloads.
One small breach → massive blast radius.
References
If you missed this news earlier, now you know.
And maybe… pin your dependencies today