Axios NPM package hit by sophisticated supply chain attack affecting 300M weekly downloads

Summary

A sophisticated supply chain attack has poisoned Axios, one of the most widely used packages in the npm registry, affecting roughly 300 million weekly downloads. The attackers stole a lead developer's npm login credentials, swapped the developer's email to an autonomous ProtonMail account, and manually uploaded malicious code while bypassing all normal security checks.

The malware is a dropper loader called Crypto JS that de-obfuscates embedded payloads at runtime, dynamically loads functions to evade static analysis, executes shell commands, stages payload files in OS temp and Windows directories, and deletes artifacts to destroy forensic evidence. Once installed, it gives attackers full control of the affected system and can steal API keys, SSH keys, and cause broader infrastructure damage.

The attack demonstrates unusual precision. The attackers staged the malware for at least 18 hours before execution, built separate versions for Windows, Mac, and Linux to maximize impact, and poisoned both the current version and an older release within 39 minutes of each other.

Axios handles HTTP requests across nearly every application on phones and websites. Over 173,000 other code packages depend on it. Socket Security, which detected the attack, recommends pinning your Axios version and auditing lock files instead of upgrading.

The attack appears to target high-value victims with ransomware potential. Mercor, a company, was identified as a likely target, though details remain sparse. The broader risk is that Axios sits at a chokepoint in the JavaScript dependency graph. Any developer who pulled the latest version unknowingly introduced a compromised package into their build pipeline, cloud infrastructure, or local environment.