CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Axios npm Package Compromised

unknown
On March 31, 2026, the Axios npm package was compromised via a maintainer account takeover. Two malicious versions were published - axios@1.14.1 and axios@0.30.4 - which introduced a hidden dependency (plain-crypto-js@4.2.1) able to execute a post‑install script deploying a cross‑platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems. Revised on 2026-04-14 00:00:00

CSIRTS triage

What
The Axios npm package was compromised, introducing a hidden dependency that can deploy a Remote Access Trojan.
Who is affected
Users of the compromised Axios versions.
Urgency
Immediate action is required to prevent potential malware installation on affected systems.
Action
Remove the compromised versions of Axios and update to a secure version.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Axios

Get an email when a new Axios advisory drops — max one per day, one-click unsubscribe.

Details

Source
Fortinet FortiGuard PSIRT (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-04-14
Exploitation
Not in CISA KEV at last sync

Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-126

More from Fortinet FortiGuard PSIRT