According to Feross Aboukhadijeh, co-founder of security-oriented firm Socket Security, there is an active supply chain on Axios, which is one of npm’s most depended-on packages.
NPM stands for Node Package Manager and is basically the world’s largest software registry, hosting more than two million packages of open-source JavaScript code. An argument can be made that it’s the backbone of modern Web3 development.
According to Feross, the latest [email protected] is currently pulling in [email protected], which is a package that did not exist before today, suggesting that it’s a live compromise.
This is textbook supply chain installer malware. Axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analyiss confirms this is malware. Plain-crypto-js is an obfuscated dropper/loadre.”
The malicious software can perform a range of actions, including deleting and renaming artifacts post-execution to destroy forensic evidence, staging and copying payload files to the OS temp and Windows ProgramData directories, executing decoded shell commands, and more.
🚨 CRITICAL: Active supply chain attack on axios — one of npm’s most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios…
— Feross (@feross) March 31, 2026
The expert recommends that developers who use axios immediately pin their versions and audit their lockfiles, while refraining from any updates for the time being.