BACK TO NEWS
Apr 5, 2026 ADVISORY

Axios Supply Chain Compromise: Our Analysis and Response

A sophisticated supply chain attack targeting the popular Axios npm package has been discovered, affecting millions of JavaScript applications worldwide. Our team has conducted a thorough analysis of the compromise and is sharing our findings to help the community respond effectively.

What Happened

Attackers gained access to the npm publishing credentials of an Axios maintainer through a targeted phishing campaign. Using this access, they published a malicious version of the package that included a carefully obfuscated backdoor designed to exfiltrate environment variables and API keys from affected applications at build time.

The malicious code was embedded in the package's post-install script and executed silently during npm install, sending sensitive data to attacker-controlled infrastructure before the application ever ran in production.

Scope of Impact

The compromised versions were available on npm for approximately 72 hours before detection. Based on npm download statistics and our own analysis:

  • Approximately 1.2 million direct downloads of the compromised version occurred
  • Any project that ran npm install or yarn install during the window may have been affected
  • CI/CD pipelines were the highest-risk targets due to the presence of deployment secrets
  • The exfiltration targeted AWS_SECRET_ACCESS_KEY, DATABASE_URL, API_KEY, and similar environment variables

How We Detected It

One of our clients flagged unexpected outbound network activity during a routine code audit. Our team traced the traffic to the Axios post-install hook and immediately began reverse-engineering the obfuscated payload. Within hours, we had a complete understanding of the attack chain and reported it to the npm security team and the Axios maintainers.

Recommended Actions

If your organization uses Axios, take the following steps immediately:

  • Check your lockfile — verify which version of Axios is pinned in your package-lock.json or yarn.lock
  • Rotate all secrets — if you installed the compromised version, assume all environment variables and secrets from that environment are leaked
  • Audit CI/CD logs — review build logs for unexpected network activity during the install phase
  • Pin dependencies — use exact version pinning and enable npm audit in your CI pipeline
  • Implement lockfile verification — tools like npm ci (instead of npm install) help prevent unintended version changes

Lessons Learned

This incident reinforces what our penetration testing engagements have shown repeatedly: supply chain security is one of the most underestimated attack vectors in modern software development. Organizations should treat dependency management as a critical security function, not just a developer convenience.

Need help assessing whether your infrastructure was affected? Contact our incident response team for immediate assistance.