Axios NPM Package Compromised, Malicious Versions Dropping Remote Access Trojan

The Axios JavaScript library, one of the most widely downloaded packages on the npm registry with hundreds of millions of weekly downloads, has been compromised with malicious versions that drop a Remote Access Trojan onto affected systems, according to reporting surfaced on Hacker News Monday. Axios is a promise-based HTTP client for JavaScript used extensively in web applications and Node.js back-end services. Its ubiquity in the JavaScript ecosystem makes the compromise a significant supply chain security event, as developers who install affected versions or whose automated dependency updates pull them in could silently expose their systems to attacker-controlled malware. A Remote Access Trojan, or RAT, gives attackers persistent remote control over an infected machine, typically including the ability to exfiltrate files, capture keystrokes, access credentials stored in browsers or environment variables, and execute arbitrary commands. In a development environment, a RAT could expose source code, API keys, cloud credentials, and access to internal networks. The attack follows a well-established pattern of npm supply chain compromises in which attackers either take over a legitimate package account, publish typosquat packages with similar names, or introduce malicious code through a dependency update. High-profile prior incidents include the compromise of the ua-parser-js package in 2021 and the event-stream incident in 2018. Developers using Axios were urged to verify the integrity of installed versions against the official package and to check for unexpected processes or outbound network connections on affected systems. The specific compromised version numbers and whether the malicious code had been removed from the registry were not immediately confirmed in initial reports. The Axios maintainers had not issued a public statement at time of publication.