Axios npm Package Compromised: Malicious Versions 1.14.1 & 0.30.4 Drop Remote Access Trojan

A critical supply chain attack has compromised the widely-used Axios HTTP client library on the npm registry. Malicious versions 1.14.1 and 0.30.4 have been published, containing a remote access trojan (RAT) designed to steal sensitive environment variables from infected systems. This is not a typical dependency confusion or typo-squatting attack; evidence points to a direct compromise of a maintainer's accounts, granting the attacker publishing rights to the official Axios package.

The attack vector suggests the maintainer's GitHub and npm accounts were breached, allowing the threat actor to publish trojanized updates. The malicious code is engineered to exfiltrate environment variables—which often contain API keys, database credentials, and other secrets—to an external command-and-control server. Security researchers have observed attempts to delete related GitHub issues, a tactic consistent with an attacker trying to cover their tracks after gaining maintainer-level access.

This incident places thousands of applications and development pipelines at immediate risk. Axios is one of the most depended-upon JavaScript libraries, with millions of weekly downloads. The compromise signals a severe escalation in software supply chain attacks, moving from dependency confusion to direct account takeover of high-profile maintainers. A vulnerability report has been filed to initiate a CVE, and developers are urged to downgrade to a verified safe version, audit their dependencies, and rotate any exposed credentials. The integrity of core open-source infrastructure is under direct assault.