A critical software supply chain attack has compromised the widely used JavaScript HTTP client Axios after malicious versions of the package were published to npm with a trojanized dependency capable of delivering remote access malware.
Socket Researchers identified compromised versions [email protected] and [email protected], which included a malicious dependency called [email protected]. The package executed a multi-stage payload during installation, enabling attackers to run commands, collect system data, and maintain persistence on infected systems.
Open-source developer Feross Aboukhadijeh warned the incident represented an active compromise of one of npm’s most widely used packages, describing it as “textbook supply chain installer malware” in a post on X (formerly Twitter) published earlier today.
In fact, Axios is used in front-end applications, back-end services, internal tools, and enterprise platforms, with more than 100 million weekly downloads on npm. For many organizations running JavaScript applications, Axios is likely present somewhere in their environment, often indirectly through other dependencies.
Supply Chain Visibility and AI Development Risks
According to an advisory published by Socket today, the malicious package executed automatically through an npm post-install script, downloading platform-specific malware for Windows, macOS, and Linux. The malware also used obfuscation and anti-forensics techniques to hide its activity and remove evidence after installation.
Security researchers at vx-underground emphasized the scale of exposure on X (formerly Twitter) earlier today: “The impact from Axios being compromised is devastating, the fallout from this will be a massive headache. This is unironically a malware nuclear missile and will likely be studied in the future.”
The incident highlights a persistent problem for security leaders: many organizations do not have clear visibility into which open-source dependencies are running inside their applications. Modern development pipelines automatically install and update packages, making it difficult to track risk without strong governance and Software Bill Of Materials (SBOM) controls.
The risk is increasing further as AI-assisted development tools and autonomous coding agents automatically install dependencies and build applications with little or no human review. In many environments, no one is actively reviewing what packages are being installed, creating a growing software supply chain attack surface.
The Axios incident, whose real impact is still to be seen, is likely to renew industry focus on software supply chain governance, dependency visibility, and tighter controls around automated package installation in development pipelines.
