The axios npm supply chain attack

On March 31, 2026, a compromised maintainer account was used to publish malicious versions of axios, one of the most widely used HTTP clients on npm. The bad versions were live for roughly three hours before they were removed from the registry, long enough to reach any build that resolved a fresh version in that window.

What happened

The attacker did not find a bug in axios. They gained control of a maintainer's publishing access and pushed new, poisoned releases to the npm registry under the legitimate package name. Because npm installs resolve to the newest matching version by default, every project with a loose version range that ran an install during that window risked pulling the malicious release straight into node_modules.

This is the recurring shape of modern supply chain attacks: not a vulnerability in the code you chose, but a hostile new version of it, published for a short time and relying on automation to spread before anyone notices. The same pattern hit ua-parser-js (compromised for about four hours in October 2021) and node-ipc (caught within days in March 2022).

The settings that would have helped

A three-hour exposure window is exactly what a dependency cooldown is designed to defeat.

  • Dependency cooldown (minimum release age). If your package manager is told to ignore versions younger than, say, seven days, it would have refused the poisoned axios release entirely. The version was pulled from the registry long before a 7-day quarantine would have let it through. This is the single most effective control for short-lived attacks like axios.
  • Blocking install scripts (ignore-scripts). When a payload executes through a package's install lifecycle scripts, disabling automatic script execution stops it from running even if the malicious files land on disk.
A cooldown is not a cure-all: it does not help against malicious code that goes undetected for longer than the quarantine window. But against fast-response incidents, where the registry, the community, or automated scanners catch and remove a bad version within hours or days, it is decisive.

Harden your setup

DepsGuard checks whether a cooldown and install-script blocking are configured for the package managers you actually have installed, and turns on the ones that are missing, with a diff preview and a backup before any change.

Install DepsGuard Read the hardening guide

Source

axios#10636: compromised releases (github.com/axios/axios)

Related