Trojan Hidden in Key Internet Code Library Likely Affects Your Team

Recent cybersecurity events have shed light on vulnerabilities within the npm ecosystem, particularly with the popular JavaScript library Axios. Attackers exploited a long-lived npm access token belonging to an Axios lead maintainer to distribute malicious versions of the library.

Details of the Attack

The compromised token was used to publish two infected releases of Axios that introduced a remote access trojan (RAT). These malicious packages were live on the npm registry for about three hours before being removed. Axios, known for its high usage with over 100 million downloads weekly, is prevalent across approximately 80% of cloud and code environments.

Impacted Systems

• Malicious packages targeted macOS, Windows, and Linux.
• Initial infections were detected just 89 seconds after the packages went live.
• At least 135 systems were confirmed compromised during this window.

The Mechanism of Compromise

The attacker managed to take control of the npm account belonging to @jasonsaayman, the Axios maintainer. They changed the account email to an anonymous address and published the malicious releases using npm’s command-line interface, bypassing the GitHub Actions CI/CD workflow.

Interestingly, the attack did not involve direct alterations to the Axios codebase. Instead, a new dependency was added to both release branches. This dependency executed a post-install script to deploy the RAT. Prior to the malicious release, the attacker published a seemingly clean version of another package to establish their publishing credibility.

Previous Incidents and Takeaways

This incident marks the third significant npm supply chain breach in less than a year, all originating from stolen maintainer credentials. Past incidents include:

• Shai-Hulud worm, September 2025, compromising over 500 packages.
• Koi Security’s zero-day vulnerabilities discovered in January 2026 affecting npm and related package managers.

Despite various security enhancements, such as the adoption of OIDC (OpenID Connect) and SLSA attestations, this attack underscores a critical weakness—a coexisting legacy token that outdated npm’s security protocols.

Recommendations for Developers

Organizations using Node.js should take this incident as an active threat. Here are steps to mitigate potential risks:

• Assess the impact of the compromised packages used in CI/CD pipelines.
• Search for any instances of the malicious package in your lockfiles or CI logs.
• Rebuild affected systems and rotate all accessible credentials.
• Implement strict policies regarding npm installations and verify package provenance.

Final Thoughts

Credential compromise remains a recurring theme in npm attacks. While modern authentication methods have improved security, the reliance on individual maintainer accounts poses inherent risks. Developers are encouraged to adopt stronger authentication practices and enforce additional measures to secure their dependencies effectively.