← All stories

Truesec

Malicious Axios Packages Published to npm in New Supply Chain Compromise

Hjalmar Desmond · 2026-03-31 · Read original ↗

ATT&CK techniques detected

7 predictions

T1195.001Compromise Software Dependencies and Development Tools

97%

“malicious axios packages published to npm in new supply chain compromise the malicious axios versions do not contain malicious code within the axios source itself. instead, they introduce a fake dependency, plain - crypto - js @ 4. 2. 1, which is never imported by axios. its sole…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

91%

“products axios @ 1. 14. 1axios @ 0. 30. 4 recommended actions uninstall compromise packages or pin to known - good versions : axios @ 1. 14. 0 ( 1. x branch ) or axios @ 0. 30. 3 ( 0. x branch ). until patched releases are verified. truesec recommends that you disable “ postinsta…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

87%

“##ages. npm. org / product1c2 post body — linuxpackages. npm. org / product2 file system indicators [ 1 ] macos / library / caches / com. apple. act. mondwindows ( persistent ) % programdata % \ wt. exewindows ( temp, self - deletes ) % temp % \ 6202033. vbswindows ( temp, self -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

65%

“##ages. npm. org / product1c2 post body — linuxpackages. npm. org / product2 file system indicators [ 1 ] macos / library / caches / com. apple. act. mondwindows ( persistent ) % programdata % \ wt. exewindows ( temp, self - deletes ) % temp % \ 6202033. vbswindows ( temp, self -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

46%

“malicious axios packages published to npm in new supply chain compromise the malicious axios versions do not contain malicious code within the axios source itself. instead, they introduce a fake dependency, plain - crypto - js @ 4. 2. 1, which is never imported by axios. its sole…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

43%

“##ages. npm. org / product1c2 post body — linuxpackages. npm. org / product2 file system indicators [ 1 ] macos / library / caches / com. apple. act. mondwindows ( persistent ) % programdata % \ wt. exewindows ( temp, self - deletes ) % temp % \ 6202033. vbswindows ( temp, self -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1071.001Web Protocols

41%

“for all mdr customers, specifically for domains, urls, ips and file hashes. compromised packages [ 1 ] axios @ 1. 14. 1shasum : 2553649f2322049666871cea80a5d0d6adc700caaxios @ 0. 30. 4shasum : d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71plain - crypto - js @ 4. 2. 1shasum : 07d889e2d…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

The malicious axios versions do not contain malicious code within the axios source itself. Instead, they introduce a fake dependency, [email protected], which is never imported /../

The post Malicious Axios Packages Published to npm in New Supply Chain Compromise appeared first on Truesec.