Embedded Malicious Code Affecting axios package, versions =1.14.1=0.30.4
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-AXIOS-15850650
- published31 Mar 2026
- disclosed31 Mar 2026
- creditUnknown
Introduced: 31 Mar 2026
New Malicious CVE NOT AVAILABLE CWE-506 Â (opens in a new tab)How to fix?
Avoid using all malicious instances of the axios package.
Overview
axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform remote access trojan (RAT) and whose content was removed from the official package manager. A malicious actor compromised the npm account of a lead Axios maintainer, allowing the attacker to manually publish tampered versions of Axios to npm. These malicious releases bypassed the normal CI/CD pipeline and injected a hidden dependency named plain-crypto-js.
Maintainer’s Notice
Axios maintainers provided additional details in a public GitHub issue.
RAT Behavior
The injected plain-crypto-js dependency automatically executes an obfuscated postinstall script (setup.js) that establishes communication with an external command-and-control server. The RAT checks the operating system and drops platform-specific payloads:
macOS: Drops a binary to /Library/Caches/com.apple.act.mond.
Windows: Drops a persistent executable to %PROGRAMDATA%\wt.exe and runs a PowerShell script.
Linux: Executes a Python script saved to /tmp/ld.py.
After execution, the malware deletes its setup.js script and replaces its own package.json with a clean stub to actively conceal evidence of the attack from post-infection inspection. If you find any of these persistent files or the node_modules/plain-crypto-js directory, you have been compromised and should no longer trust the system to be safe.