A supply chain attack compromised the popular Axios HTTP client via a malicious npm dependency ([email protected]), injecting a remote access trojan that can execute commands and exfiltrate data. The attack bypassed normal release workflows, with maintainers initially unable to revoke attacker access. Axios has over 100 million weekly downloads, making this a high-impact security incident.
Background
Supply chain attacks target software dependencies to inject malware, leveraging trusted packages to compromise downstream users. Axios is a widely used JavaScript HTTP client with massive adoption in web development.
- Source
- Lobsters
- Published
- Mar 31, 2026 at 03:28 PM
- Score
- 9.0 / 10