Axios HTTP Client Package Compromise

Affected packages contain a malicious dependency designed to deploy remote access trojan malware

Threat ID:: CC-4764
Threat Severity:: Medium
Published:: 31 March 2026 2:04 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected packages contain a malicious dependency designed to deploy remote access trojan malware

Affected platforms

The following platforms are known to be affected:

Axios HTTP client versions 0.30.4 and 1.14.1

Threat details

Introduction

Security researchers have identified a supply-chain compromise affecting specific versions of the Axios HTTP client package, a widely used HTTP client for node.js and the browser.

The malicious dependency ([email protected]) was published at 23:59 UTC on 31 March 2026, containing malicious code intended to deploy remote access trojan (RAT) malware.

Versions 0.30.4 and 1.14.1 of the Axios package contain the malicious dependency which masquerades as the file crypto-js. The dropper then contacts a C2 server and obtains second-stage payloads for macOS, Windows, and Linux operating systems. Finally, the script executes its own tidy-up sequence to remove any related forensic evidence.

Remediation advice

The NHS England National CSOC recommends impacted organisations review the [email protected] and [email protected] are compromised #10604 issue on GitHub and follow the remediation steps detailed below.

Remediation steps

Type	Step
Guidance	Check your estate for Axios versions 0.30.4 and 1.14.1. https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan#am-i-affected
Guidance	Check CI/CD pipeline logs for any npm install executions that may have pulled [email protected] or [email protected]. Any pipeline that installed either version should be treated as compromised and all injected secrets rotated immediately. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan#am-i-affected

Type

Step

Guidance

Check your estate for Axios versions 0.30.4 and 1.14.1.

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan#am-i-affected

Guidance

Check CI/CD pipeline logs for any npm install executions that may have pulled [email protected] or [email protected]. Any pipeline that installed either version should be treated as compromised and all injected secrets rotated immediately.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected].

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan#am-i-affected

Definitive source of threat updates

Last edited: 31 March 2026 2:04 pm