Two malicious Axios npm releases have prompted urgent warnings for developers after a supply chain compromise injected malware into a widely used JavaScript HTTP client.
Security firm Socket found that [email protected] and [email protected] were altered to include a newly published dependency, [email protected], which was later identified as malicious. That injected package ran automatically during installation via a post-install script, allowing attackers to execute code on developer systems without further interaction. The compromised Axios releases were removed from npm after discovery.
OX Security warned the modified Axios code can grant attackers remote access to infected machines and enable theft of sensitive data including login credentials, API keys and cryptocurrency wallet information. The incident underscores how a single compromised open-source component can propagate risk across thousands of projects that depend on it, affecting developers, platforms and end users.
Security firms advise immediate remediation. OX Security recommends treating any environment that installed [email protected] or [email protected] as fully compromised and rotating all credentials, including API keys and session tokens. Socket urges developers to search project dependency files and lockfiles for those Axios versions and for [email protected], and to remove or roll back compromised packages immediately.
Developers should also audit build and CI pipelines, inspect package histories for unexpected additions or post-install scripts, and revoke any secrets that may have been exposed. Where possible, restore from trusted backups or rebuild environments from known-good sources. Monitoring for unusual outbound connections and anomalous credential usage is recommended while investigations continue.
This incident follows a string of supply chain breaches that have affected the crypto ecosystem. On Jan. 3, onchain investigator ZachXBT reported hundreds of EVM-compatible wallets were drained in an attack that took small amounts from many victims. Researcher Vladimir S. suggested that activity may be connected to a December breach affecting Trust Wallet, which reportedly led to roughly $7 million in losses across more than 2,500 wallets. Trust Wallet later indicated the issue may have originated from a supply chain compromise involving npm packages used in its development workflow.
Given the broad reach of popular libraries like Axios, maintainers and consumers should prioritize dependency hygiene: lockfile verification, reproducible builds, minimal install-time scripts, and stronger controls around developer credentials and package publishing. Immediate, coordinated remediation and credential rotation remain the most important steps for teams that may have pulled the compromised releases.
This rewrite follows Cointelegraph’s original reporting. Readers should verify details independently and consult official advisories from npm, their security teams, and the vendors cited.