Get AI summaries of any video or article — Sign up free
the WORST hack of 2026 thumbnail

the WORST hack of 2026

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Axios was compromised via npm supply-chain manipulation, turning routine npm installs into a potential remote access Trojan delivery mechanism.

Briefing

A high-profile supply-chain attack targeted Axios, one of the most widely used JavaScript HTTP libraries, by hijacking the lead maintainer’s account and slipping in a malicious dependency that triggers a remote access Trojan in roughly 1.1 seconds—then erases traces to make detection harder. With Axios seeing over 100 million downloads per week, the incident matters because it turns a routine “npm install” into a potential compromise path for countless applications that never directly install Axios themselves.

The attack’s core trick was account takeover plus a stealthy change to Axios’s dependency graph rather than an obvious backdoor in Axios source code. The attacker obtained a long-lived npm access token tied to the lead maintainer, then changed the maintainer account email and modified Axios’s package.json to reference a dependency named crypto.js. That dependency wasn’t imported anywhere in Axios’s 86 source files; it existed mainly to run an automatic postinstall script during installation. Instead of immediately publishing a malicious version, the attacker staged a clean version of the dependency about 18 hours earlier, then later swapped in the poisoned one—helping the change blend into normal review expectations.

To bypass typical safeguards, the attacker used npm CLI to push the altered releases while also poisoning specific release branches and versions: 1.14.1 and 0.30.4. Projects that install dependencies using a “caret” or compatible version range could pull the compromised package automatically, including during CI/CD runs or when other software depended on Axios indirectly. Socket.dev was among the first to identify the issue, and the poisoned releases spread quickly—within about 39 minutes of each other.

Once a vulnerable package was installed, the postinstall script acted as a dropper. It wrote a setup.js file that used layered obfuscation (including Base64 and additional encoding/transform steps) to hide malicious logic from static scanners. Setup.js then detected the victim’s operating system, contacted the attacker’s command-and-control (C2) server, downloaded the appropriate remote access Trojan, and executed it. After the payload was fetched and the system was effectively under attacker control, the script cleaned up by deleting setup.js, removing the malicious package.json, and restoring a pre-staged clean package.json—leaving minimal on-disk evidence.

The practical takeaway is that users may be infected without doing anything unusual: simply running npm install on affected versions could trigger the compromise. The guidance offered is to check installed Axios versions with npm list commands and, if needed, run deeper searches across a system for Axios 1.14.1 or 0.30.4. If indicators of the Trojan or C2 contact appear, the response should treat the machine as compromised—rotate API keys and other credentials/tokens rather than relying on file deletion alone. The incident is framed as an escalating pattern of supply-chain attacks, with remediation urgency proportional to how widely the dependency is used.

Cornell Notes

Axios, a major JavaScript HTTP library, was compromised through a supply-chain attack that hinged on npm account takeover and a poisoned dependency. The attacker modified Axios’s package.json to reference crypto.js, which wasn’t used in Axios code directly but did run a postinstall script. That script dropped an obfuscated setup.js, detected the victim’s OS, contacted a C2 server to fetch a remote access Trojan, then erased itself and restored a clean package.json to reduce traces. Because many projects install Axios indirectly via npm dependency ranges, the impact can spread automatically through CI/CD and routine installs. The recommended response is to check for Axios versions 1.14.1 and 0.30.4 and, if compromise indicators exist, rotate credentials and treat the machine as compromised.

How did the attacker get from an npm account compromise to code execution on end-user machines?

The attacker took over the lead maintainer’s npm account using a long-lived npm access token. They then changed the maintainer’s account email and altered Axios’s package.json so that installation would pull in a dependency (crypto.js) whose purpose was to run a postinstall script. During npm install, that postinstall script executed automatically, acting as a dropper that wrote setup.js and ultimately fetched and ran a remote access Trojan.

Why didn’t the malicious behavior show up in Axios’s normal source code review?

The malicious dependency (crypto.js) wasn’t imported by any of Axios’s source files. Instead, it existed to trigger the dependency’s postinstall behavior. That means reviewers looking at Axios code could miss the payload because the harmful logic lived in the dependency’s installation hooks rather than in Axios runtime code.

What made the payload hard to detect during installation?

The dropper used layered obfuscation (including Base64 and additional encoding/transform steps) to hide malicious logic from static scanners. After the Trojan was downloaded from the command-and-control server, the script cleaned up by deleting setup.js and removing the malicious package.json, then restoring a pre-staged clean package.json—reducing forensic artifacts on disk.

How did version targeting and dependency ranges expand the attack’s reach?

The attacker poisoned specific releases—Axios 1.14.1 and 0.30.4—across release branches (1.x and 0.x). Many projects use npm version ranges that allow compatible updates, so systems running npm install (including CI/CD pipelines) could automatically fetch the compromised versions without explicitly requesting them.

What concrete checks were recommended to determine whether a system is affected?

The guidance was to run npm list commands to check installed Axios versions and look specifically for 1.14.1 or 0.30.4. If those versions appear, a deeper search across the system is advised because Axios may be present in custom-built projects or transitive dependencies. Additional commands were suggested to check whether the remote access Trojan landed and whether the system attempted to contact the C2 server.

If compromise is suspected, what remediation steps were emphasized?

The advice was to treat the machine as compromised rather than only deleting files. That includes rotating every credential and token—especially API keys—because the attacker may have already accessed the system quickly after installation (reported around 1.1 seconds). A full remediation checklist was referenced for follow-through.

Review Questions

  1. Which Axios versions were specifically identified as poisoned, and why would dependency ranges make them especially dangerous?
  2. What role did the postinstall script and the staged clean dependency play in bypassing review and detection?
  3. After setup.js contacted the C2 server and downloaded the Trojan, what cleanup actions reduced evidence on the system?

Key Points

  1. 1

    Axios was compromised via npm supply-chain manipulation, turning routine npm installs into a potential remote access Trojan delivery mechanism.

  2. 2

    The attacker used a hijacked maintainer account and a long-lived npm access token to modify Axios’s package.json.

  3. 3

    A poisoned dependency (crypto.js) triggered an automatic postinstall script even though it wasn’t imported by Axios source files.

  4. 4

    Targeted releases (Axios 1.14.1 and 0.30.4) plus npm version ranges enabled widespread automatic uptake through CI/CD and transitive dependencies.

  5. 5

    The dropper used obfuscation, OS detection, and C2 retrieval, then erased setup.js and restored a clean package.json to limit traces.

  6. 6

    Recommended detection steps include checking installed Axios versions and searching for transitive presence across a system.

  7. 7

    If indicators suggest compromise, remediation should include rotating API keys and all credentials/tokens and treating the host as compromised.

Highlights

Axios was hijacked without directly injecting obvious malicious code into Axios source files; the payload lived in a dependency postinstall path.
The malicious flow was reported to execute in about 1.1 seconds after npm install, then self-clean to reduce forensic evidence.
Poisoned versions 1.14.1 and 0.30.4 could be pulled automatically via compatible version ranges during CI/CD.
The attack’s stealth relied on staging a clean dependency first, then swapping in the malicious one later to blend into normal expectations.

Topics

  • Supply Chain Attack
  • npm Dependencies
  • Axios Compromise
  • Remote Access Trojan
  • Malware Cleanup

Mentioned

  • npm
  • CI/CD
  • HTTP
  • C2
  • RAT
  • OS

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library