← All stories

Infosecurity Magazine

Hackers Hijack Axios npm Package to Spread RATs

2026-04-01 · Read original ↗

ATT&CK techniques detected

7 predictions

T1195.001Compromise Software Dependencies and Development Tools

98%

“hackers hijack axios npm package to spread rats threat actors have targeted an open source maintainer to hijack one of the most popular npm packages and spread remote access trojans ( rats ). axios is a javascript library downloaded over 100 million times a week and used as a dep…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“##son, yarn. lock, or pnpm - lock. yaml to see if plain - crypto - js, axios v1. 14. 1, or axios v0. 30. 4 are present - hunt for iocs across developer machines and ci / cd infrastructure - rotate credentials and remediate any exposed systems gtig has attributed this activity to …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

97%

“##js, lacking admin access, could not revoke jasonsaayman ' s permissions and had to escalate to npm administration, who removed the malicious versions and revoked all tokens approximately three hours after the attack began. ” read more on npm attacks : new npm ' ghost campaign '…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

87%

“hackers hijack axios npm package to spread rats threat actors have targeted an open source maintainer to hijack one of the most popular npm packages and spread remote access trojans ( rats ). axios is a javascript library downloaded over 100 million times a week and used as a dep…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

65%

“##son, yarn. lock, or pnpm - lock. yaml to see if plain - crypto - js, axios v1. 14. 1, or axios v0. 30. 4 are present - hunt for iocs across developer machines and ci / cd infrastructure - rotate credentials and remediate any exposed systems gtig has attributed this activity to …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

60%

“##js, lacking admin access, could not revoke jasonsaayman ' s permissions and had to escalate to npm administration, who removed the malicious versions and revoked all tokens approximately three hours after the attack began. ” read more on npm attacks : new npm ' ghost campaign '…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

41%

“hackers hijack axios npm package to spread rats threat actors have targeted an open source maintainer to hijack one of the most popular npm packages and spread remote access trojans ( rats ). axios is a javascript library downloaded over 100 million times a week and used as a dep…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Threat actors hijacked the popular npm package axios to spread RAT malware after compromising an open‑source maintainer’s account, researchers warn