Which axios versions are affected by the npm supply chain attack?

The affected versions are axios@1.14.1 and axios@0.30.4, both published on March 31, 2026. Safe versions to downgrade to are axios@1.14.0 (for 1.x users) and axios@0.30.3 (for 0.x users).

How do I check if my project was affected by the axios npm attack?

Run: grep -E '"axios"' package-lock.json | grep -E '1\.14\.1|0\.30\.4' to check your lockfile. Also check whether the directory node_modules/plain-crypto-js/ exists — its presence alone means the dropper executed, regardless of what version package.json now reports.

What should I do if I installed a malicious version of axios?

Do not attempt to clean the machine in place. Rebuild from a known-good state and immediately rotate all credentials accessible from the affected machine: npm tokens, SSH keys, AWS access keys, cloud credentials (GCP, Azure), CI/CD secrets, and any values in .env files accessible at install time. Review CI/CD pipeline logs for runs between 00:21 and 03:15 UTC on March 31, 2026.

How can I prevent npm supply chain attacks in my CI/CD pipeline?

Key controls include: running npm ci --ignore-scripts to prevent postinstall hooks from executing in automated builds; pinning exact dependency versions in your lockfile rather than using floating ranges; removing or rotating long-lived npm access tokens when OIDC Trusted Publishing is configured; and monitoring for unexpected outbound network connections from build environments.

Author at Infinum

A low-poly wooden Trojan horse standing in shadow, partially illuminated by a diagonal beam of light — a visual metaphor for hidden malware delivered through a trusted package.

The Axios npm Attack: What It Means for Every JavaScript Project

axios is the JavaScript library most apps use to talk to the internet. On March 31, two malicious versions were quietly published to npm — and anyone who ran npm install during a three-hour window may have a remote access trojan on their machine. Full technical breakdown inside.

Illustration of Android security layers showing anti-root, anti-hook, and anti-debug protection mechanisms

Understanding & Defeating Android Protections

Discover how hackers bypass Android root detection, anti-hooking, and anti-debug protections with real code examples and penetration testing techniques to strengthen your mobile security knowledge.

Silhouette of a person in front of a glowing red screen displaying lines of code, illustrating the security risks of AI-generated code

Is AI-Generated Code Secure? What Business Leaders Need to Know About AI and Application Security

We asked AI to build three web apps with different levels of security guidance, then tried to break them. Here’s what we found.

Row of humanoid robots working at computers, illustrating automated AI-generated code development and the security risks of vibe-coded applications

Security Gaps in Vibe-Coded Applications

An evaluation of AI-generated code security found that while detailed security prompts lead to improved outcomes, consistent vulnerabilities and gaps remain even with strict guidance.

OpenClaw: Viral AI Sidekick That Puts You and Your Data at Risk

OpenClaw showcases how powerful “local-first” AI agents can be, but it also shows how quickly convenience can turn into a security liability.