Two malicious Axios npm releases have led to urgent warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack altered the popular JavaScript HTTP client.
Cybersecurity firm Socket reported that [email protected] and [email protected] were modified to include [email protected], a dependency published shortly before the incident and later identified as malicious. The injected package executed automatically during installation via a post-install script, enabling attackers to run code on systems without further user interaction. The affected releases were removed from npm after discovery.
OX Security said the altered Axios code can give attackers remote access to infected devices, allowing theft of sensitive data such as login credentials, API keys and crypto wallet information. The incident highlights how a single compromised open-source component can ripple across thousands of applications and services that depend on it, exposing developers, platforms and end users.
Security firms are urging immediate remediation. OX Security recommended treating any system that installed [email protected] or [email protected] as fully compromised and rotating all credentials, including API keys and session tokens. Socket advised developers to review project dependency files for those Axios versions and for [email protected], and to remove or roll back compromised versions immediately.
Earlier supply chain incidents in the crypto space show how such breaches can escalate from stolen developer credentials to user-facing losses. On Jan. 3, onchain investigator ZachXBT reported that hundreds of EVM-compatible wallets were drained in an attack that siphoned small amounts from many victims. Researcher Vladimir S. suggested the activity may be linked to a December breach affecting Trust Wallet, which reportedly resulted in roughly $7 million in losses across more than 2,500 wallets. Trust Wallet later indicated the breach may have originated from a supply chain compromise involving npm packages used in its development workflow.
Developers should audit build and CI pipelines, check lockfiles and package histories for unexpected dependency additions or post-install scripts, and revoke or rotate any exposed secrets. Where possible, restore from trusted backups or rebuild environments from known-good sources. Monitoring for unusual outgoing connections and credential use is also recommended while investigations continue.
Cointelegraph is committed to independent, transparent journalism. This article follows Cointelegraph’s Editorial Policy; readers should verify information independently. Read the Editorial Policy at https://cointelegraph.com/editorial-policy.
