NoTime2Watch
Tech

Axios npm supply chain attack: deeply analyzed

Tyler Hoekstra β€” Technology reporter covering AI, software, hardware, and the companies shaping the digital future3 min readUpdated April 1, 2026
Axios npm supply chain attack: deeply analyzed

Key Takeaways

  • β€’A sophisticated supply chain attack hit Axios, the JavaScript HTTP library with over 100 million weekly npm downloads, by embedding a Remote Access Trojan inside compromised package versions.
  • β€’Attackers gained control of a maintainer's npm account, published malicious Axios releases, and introduced a rogue dependency called plain-crypto-JS that silently installed a RAT capable of stealing AWS credentials, OpenAI API keys, and more.
  • β€’Fireship covered the incident in their video "Millions of JS devs just got penetrated by a RAT…", breaking down exactly how the attack worked, which versions are affected, and why rolling your credentials matters far more than just deleting a file.

How a Trusted Library Became the Delivery Vehicle

Axios is one of those packages that lives in basically every JavaScript project. Over 100 million downloads a week. It's so ubiquitous that developers install it without a second thought, which is exactly what made it a useful target. Attackers didn't need to convince anyone to install something sketchy. They just needed to get inside something people were already installing automatically. As Fireship explains in Millions of JS devs just got penetrated by a RAT…, the specific method used to obtain the maintainer's npm access token hasn't been confirmed β€” we know the lock was picked, we just don't know how.

The Account Takeover Nobody Noticed

Once attackers had control of a compromised npm maintainer account, they bypassed the normal GitHub Actions release pipeline entirely and pushed malicious versions of Axios directly to the registry under a Proton Mail address. That's the tell in hindsight, but npm doesn't exactly send you a push notification when a package you depend on changes its publishing behavior. The malicious versions looked legitimate from the outside. Nothing in the primary Axios code screamed

Our Analysisβ€” Tyler Hoekstra, Technology reporter covering AI, software, hardware, and the companies shaping the digital future

Our Analysis: The scariest part here isn't the RAT itself. It's that npm audit came back clean. The entire safety net developers have been trained to trust was useless against this attack, and most people won't know that until it's already too late.

Fireship covers the detection steps well, but glosses over the real fallout. Rolling API keys sounds simple. It isn't. Figuring out what touched your environment, when, and from which machine is hours of painful forensic work most solo devs are not equipped to do.

The dependency chain is a liability. Everyone knows it. Nobody has a better answer yet.

What this attack exposes, more than anything, is the structural trust problem baked into how the JavaScript ecosystem operates. npm's security model is built around the assumption that maintainer accounts are secure. There's no mandatory multi-factor enforcement for publishing, no cryptographic signing requirement tied to identity verification, and no behavioral anomaly detection that would flag a package suddenly switching from a GitHub Actions pipeline to a manual publish via a Proton Mail address. Each of those gaps is known. Each has been discussed. None have been resolved at the ecosystem level.

The plain-crypto-JS dependency is also worth dwelling on. Burying the malicious payload in a sub-dependency β€” rather than in Axios itself β€” is a deliberate obfuscation strategy. It means the diff on the Axios repo looks clean. A developer doing due diligence, even an unusually careful one, would have had no obvious reason to inspect a newly added transitive dependency. This is the same technique that made the XZ Utils backdoor so effective: the attack surface isn't the famous package, it's the stuff nobody thinks to look at.

There's a harder conversation here about who actually maintains the software that powers modern infrastructure. Axios has hundreds of millions of weekly downloads and is a critical dependency for thousands of production systems. The people responsible for its security are, presumably, a small group of volunteers. That asymmetry β€” massive blast radius, minimal resources β€” is the real vulnerability. Attackers understand it even if the industry doesn't want to talk about it plainly.

If there's anything actionable beyond the obvious credential rotation advice, it's this: audit your dependency tree for packages that have no strong community presence, no meaningful commit history, and no independent security scrutiny. plain-crypto-JS fit that profile exactly. Automated tooling won't catch these. Someone has to actually look.

Frequently Asked Questions

What exactly happened in the Axios npm supply chain attack?
Attackers compromised an npm maintainer account for Axios β€” a JavaScript HTTP library with over 100 million weekly downloads β€” and pushed malicious package versions directly to the npm registry, bypassing the normal GitHub Actions release pipeline entirely. Those versions quietly introduced a rogue dependency called plain-crypto-JS that installed a Remote Access Trojan capable of harvesting sensitive credentials. The how of the initial account takeover hasn't been confirmed, which is worth noting β€” the full attack chain is still not publicly verified. (Note: the method of credential theft for the maintainer account remains unconfirmed as of this writing.)
Which versions of Axios are affected by the RAT malware?
The malicious releases were pushed directly to the npm registry under a Proton Mail address rather than through the official GitHub Actions pipeline β€” that publishing behavior mismatch is the clearest fingerprint of the compromised versions. Fireship's video covers the specific version numbers, and cross-referencing your installed version against the official Axios GitHub release history is the most reliable way to verify you're clean. If your lock file shows a version published outside the normal release cadence, treat it as suspect.
How can JavaScript developers check if they've been compromised by the Axios supply chain attack?
Auditing your package-lock.json or yarn.lock for the plain-crypto-JS dependency is the first concrete step β€” its presence is a strong indicator of infection. Beyond that, check your npm install logs for unexpected post-install script execution, since that's the mechanism the RAT likely used to establish itself. Fireship makes the critical point that simply deleting the malicious files is not sufficient remediation; any exposed credentials β€” especially AWS keys and OpenAI API keys β€” need to be rotated immediately, because the RAT had time to exfiltrate them before you noticed anything.
Why does rotating credentials matter more than just removing the malicious Axios package?
A RAT operates silently in the background, meaning any credentials it accessed β€” AWS keys, OpenAI API keys, environment variables β€” could have already been transmitted to an attacker-controlled server long before you detect or remove the package. Deleting the file removes future risk but does nothing about data already exfiltrated. Fireship is right to emphasize this: credential rotation is the remediation step most developers skip, and it's the one that actually closes the attack window.
Can npm's security model actually prevent this kind of supply chain attack?
This incident exposes a genuine structural weakness β€” npm doesn't alert downstream users when a package changes its publishing behavior, account, or pipeline in ways that should raise flags. The attack didn't exploit a vulnerability in npm's code; it exploited the ecosystem's implicit trust in maintainer accounts and the sheer automation of dependency installation. Stronger multi-factor enforcement on high-download packages and provenance attestation (which npm has been rolling out) would meaningfully raise the bar, but neither is universally enforced yet. (Note: the effectiveness of npm's current provenance tooling against this specific attack vector is still being evaluated by the security community.)

Based on viewer questions and search trends. These answers reflect our editorial analysis. We may be wrong.

βœ“ Editorially reviewed & refined β€” This article was revised to meet our editorial standards.

Source: Based on a video by Fireship β€” Watch original video

This article was created by NoTime2Watch's editorial team using AI-assisted research. All content includes substantial original analysis and is reviewed for accuracy before publication.

Related Articles

Apr 24

Is Smartphone Camera Computational Photography Hitting Its Limit?

Apr 15

AI safety alignment risks Anthropic's Mythos AI

Apr 11

NVIDIA DreamDojo Robot Learning AI: Bridging Sim-to-Real Gap