2026 Axios Supply Chain Attack: RAT Infects npm Library, Compromising Millions

2026 Axios Supply Chain Attack: RAT Infects npm Library, Compromising Millions

A sophisticated remote access trojan (RAT) has been discovered in the Axios JavaScript library, compromising millions of developers. The malicious payload, named AxiosBackdoor, was pushed through a compromised maintainer account and distributed via npm in versions 0.27.2 and 0.27.3 between March 28–30, 2026. Axios, used in over 100 million monthly downloads, is a critical HTTP client in JavaScript ecosystems—making this one of the most damaging supply chain breaches in npm history.

Timeline of the Attack

• March 25, 2026: Attackers gained access to a former Axios maintainer’s account via credential stuffing.
• March 28, 2026: Malicious versions 0.27.2 and 0.27.3 published to npm registry.
• March 29, 2026: First reports of anomalous network traffic from developer machines.
• March 30, 2026: Security researchers at StepSecurity.io confirmed the RAT payload.
• March 31, 2026: npm revoked malicious versions; Axios released patch 0.27.4.

Verified Affected Versions

Only Axios versions 0.27.2 and 0.27.3 contain the RAT payload. Versions prior to 0.27.0 and after 0.27.4 are safe. Developers should immediately verify their package-lock.json or yarn.lock files for these versions.

How to Scan Your Projects

Run these commands to detect exposure:

npm list axios
npm audit
npx snyk test

Manually inspect node_modules/axios for obfuscated code patterns like new Function(), atob() with long strings, or unexpected network calls to domains ending in .cloudfront[.]net or .digitalocean[.]space.

How the RAT Was Injected into Axios

Attackers exploited weak credential hygiene in a legacy maintainer account, bypassing two-factor authentication (2FA) due to outdated session tokens. Once inside, they modified the build pipeline to inject a cross-platform RAT into the compiled output. The payload used environment detection to avoid sandboxed or containerized environments, targeting only production developer machines and CI/CD systems.

The malware activates on any require('axios') or import axios from 'axios' call. It gathers system metadata—including IP, hostname, installed packages, and environment variables—and exfiltrates it to a C2 server hosted on compromised cloud infrastructure. The RAT also scans adjacent directories for package.json files, attempting to inject itself into other local dependencies—a technique rarely seen in npm attacks.

Step-by-Step Protection for Developers

Follow these steps to secure your environment:

1. Immediately Reinstall Axios

npm uninstall axios
npm install [email protected]

2. Audit Dependencies with npm Audit

Run npm audit and review all vulnerabilities. Enable npm audit --json for integration into CI pipelines.

3. Enforce Package Signing and Integrity

Use npm install --ignore-scripts temporarily while auditing. Enable npm signatures and verify package integrity with shasum -a 256 against official npm registry hashes.

4. Monitor for Indicators of Compromise (IOCs)

• Outbound connections to .cloudfront[.]net or .digitalocean[.]space
• Child processes spawned from node or npm outside build workflows
• Unusual file modifications in node_modules/axios

5. Secure Your npm Account

Enable two-factor authentication (2FA) on all npm accounts. Use npm’s official 2FA guide and rotate all API tokens. Consider using StepSecurity’s GitHub Actions hardening for CI/CD pipelines.

This incident joins SolarWinds, Codecov, and the left-pad incident as a landmark case in open-source supply chain risk. Trust must be verified—not assumed. The Axios RAT attack proves that even the most trusted libraries can become vectors for large-scale compromise.