A sophisticated supply chain attack has compromised Axios, a widely-used JavaScript library, posing a significant security threat to millions of cryptocurrency applications. Security researchers from Socket Security and StepSecurity discovered that hackers injected malware into specific versions of the library published on the npm registry.
The attack targeted versions axios@1.14.1 and axios@0.30.4, which were published using compromised credentials belonging to a lead Axios maintainer, @jasonsaayman. The malicious versions were active on npm for approximately three hours before being unpublished. Crucially, the release bypassed the normal GitHub publishing pipeline and did not appear in official GitHub tags, indicating unauthorized access to the publishing system.
The compromised packages included a hidden dependency called plain-crypto-js@4.2.1, which is not part of Axios's legitimate source code. This dependency executes a post-install script that deploys a Remote Access Trojan (RAT) dropper across macOS, Windows, and Linux systems. The malware is designed to run commands, collect data, connect to external servers, and then delete traces of its activity to evade detection.
Axios is a top-10 npm package with up to 300 million weekly downloads, making the attack's potential reach enormous. Crypto applications are particularly vulnerable as they frequently rely on Axios for communication between wallets, exchanges, decentralized apps (dApps), and servers. The attack could expose sensitive data including private keys, API tokens, and user information.
While no unauthorized crypto movements have been reported yet, security experts warn that the attack vector is especially risky for decentralized projects with large team holdings. The incident follows a similar malicious code injection in the LiteLLM package just a week prior, raising concerns that npm attacks are becoming more common and sophisticated.
Researchers also identified two additional malicious packages delivering payloads in the same manner: @shadanai/openclaw and @qqbrowser/openclaw-qbot. The npm registry has removed the harmful Axios versions, but the incident underscores the fragility of software supply chains in the crypto ecosystem. Developers are urged to immediately check dependencies, remove affected versions, switch to safe Axios releases, and review systems for unusual activity.
