If you are a JavaScript developer, you’re likely familiar with Axios, the popular library with over 80 million weekly downloads. Developers use Axios to make network requests, handle form submissions, perform CRUD operations, and manage file uploads in both browser and Node.js environments.
Now, researchers at StepSecurity have notified the public that two specific versions, axios@1.14.1 and axios@0.30.4, have been pwned by hackers. This was likely achieved through stolen npm credentials belonging to a lead maintainer, and the attackers even managed to change the account email address to ifstap@proton.me. They then manually published these poisoned versions, completely bypassing the project"s standard GitHub Actions and cryptographic signing processes.
According to StepSecurity, the affected versions did not alter the core Axios code but instead injected a hidden, fake dependency named plain-crypto-js@4.2.1. This fake package, which Axios never actually uses in its source, runs a postinstall script right when you install it.
That script acts as a cross-platform remote access trojan (RAT) dropper, hitting machines running Window, macOS, and Linux, and then contacts a command and control (C2) server. After it installs the malware, the dropper attempts to self destruct, replacing its own package.json with a clean version to evade detection.
The hackers used some pretty clever obfuscation techniques to hide what the malware was actually doing on your machine. They encoded sensitive strings like shell commands and file paths into a complex array that gets decoded at runtime using a specific XOR cipher key.
To check if your computer has been compromised, try the following commands:
# Check for the malicious axios versions in your project npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4" # Look for the hidden dependency directory ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED" # Check for RAT artifacts on Linux ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED" If you think you might be infected (remember the affected versions are axios@1.14.1 and axios@0.30.4), downgrade Axios to the last known safe version. Use axios@1.14.0 for 1.x users and axios@0.30.3 for 0.x users, but make sure to add an overrides block in your package.json to prevent transitive dependencies from pulling in the bad versions:
"overrides": { "axios": "1.14.0" } You also need to remove plain-crypto-js from node_modules and then run npm install --ignore-scripts to prevent any other postinstall hooks from running.
Another very important thing you should do is rotate all your credentials, like NPM tokens, AWS access keys, SSH private keys, cloud credentials, and any values found in .env files accessible during install.
For CI/CD pipelines, always run npm ci --ignore-scripts to stop postinstall hooks from running automatically.