Supply Chain Attack in 2026: Malicious plain-crypto-js Compromises Axios NPM (100M Weekly Downloads)

Supply Chain Attack in 2026: Malicious plain-crypto-js Compromises Axios NPM (100M Weekly Downloads)

A critical supply chain attack in 2026 compromised the Axios NPM package — used in over 100 million weekly downloads — through a malicious dependency named plain-crypto-js. The attack exploited a leaked npm authentication token to publish fraudulent versions (1.14.1 and 0.30.4), bypassing GitHub release verification. This incident highlights the growing threat of npm token leaks and unauthorized package publishing in open-source ecosystems.

How plain-crypto-js Works: The Malicious Dependency Explained

The plain-crypto-js package masqueraded as a legitimate cryptographic utility but executed hidden scripts during installation. These scripts harvested sensitive data including:

• Environment variables (API keys, database credentials)
• Browser cookies and localStorage
• npm tokens and SSH keys from development machines

Simultaneously, it deployed a remote access trojan (RAT) that established persistent backdoor access, enabling attackers to remotely execute commands, exfiltrate files, and pivot to internal networks.

How the Attack Unfolded: A Timeline

• March 15, 2026: Attackers obtained a long-lived npm token via credential leakage from a compromised CI/CD pipeline.
• March 18, 2026: Malicious versions 1.14.1 and 0.30.4 of Axios were published to npm — with no corresponding GitHub releases.
• March 20, 2026: Security researchers detected anomalous behavior in dependency trees and flagged plain-crypto-js.
• March 22, 2026: Axios maintainers yanked the compromised versions and issued an emergency advisory.

Steps to Protect Your NPM Projects

Follow these critical actions to secure your supply chain:

1. Upgrade immediately: Use Axios v1.14.2 or later — all compromised versions have been unpublished.
2. Enable Two-Factor Authentication (2FA) on all npm accounts and GitHub repositories.
3. Rotate all long-lived npm tokens and switch to Trusted Publishing via GitHub Actions.
4. Audit dependencies: Run npm audit or use Snyk, Dependabot, or npm’s new Package Security dashboard.
5. Monitor for red flags: Any package update without a matching GitHub release should trigger an alert.

Why This Attack Matters: The Bigger Picture of Open-Source Security

The Axios incident is not isolated — it mirrors recent attacks on LiteLLM and other high-traffic packages. With over 2.1 million packages on npm, attackers target top dependencies to maximize impact. Without robust integrity controls, even trusted libraries become vectors for compromise. Experts urge adoption of SLSA frameworks and SBOM (Software Bill of Materials) generation to track dependencies end-to-end.

FAQ: Axios NPM Supply Chain Attack in 2026

Is Axios still safe to use?

Yes — versions 1.14.2 and later are clean and secure. Always verify your version with npm list axios and upgrade if needed.

How do I check for malicious dependencies like plain-crypto-js?

Run: npm ls plain-crypto-js. If it appears, immediately remove node_modules, clear npm cache, and reinstall with verified packages. Use Snyk or npm audit for automated detection.

What is npm Trusted Publishing?

Trusted Publishing restricts package uploads to verified GitHub Actions workflows, preventing unauthorized access even if npm tokens are leaked. Axios maintainers are actively advocating for its adoption industry-wide.

As open-source reliance grows, securing the supply chain isn’t optional — it’s foundational. The 2026 Axios attack is a wake-up call: verify, monitor, and automate security before it’s too late.