Axios npm package compromised in social engineering attack on maintainer

SEATTLE. Maintainers of Axios, one of the most widely used HTTP client libraries in JavaScript development, have published a detailed post-mortem describing a sophisticated social engineering campaign that compromised the package's npm distribution. Attackers deployed a fake Microsoft Teams error fix to hijack a maintainer account and inject malicious code into the widely depended-upon library. The incident exposes vulnerabilities in open-source supply chains where individual maintainers control critical infrastructure serving millions of downstream projects. The attack vector involved convincing a developer to install purported troubleshooting software that instead harvested authentication credentials. Once inside the npm publishing pipeline, the attackers could have distributed compromised versions to unsuspecting developers worldwide. The Axios team's disclosure provides unusual transparency for an industry where many similar incidents remain unreported or vaguely acknowledged. The library, downloaded more than 40 million times weekly, serves as a foundational dependency across web applications and services. The compromise highlights persistent gaps in multi-factor authentication adoption and maintainer security training across the open-source ecosystem. Industry groups have renewed calls for platform-level security improvements from npm parent Microsoft, including mandatory hardware-based authentication for high-impact packages.