Update March 31, 2026, 1:28 pm UTC: This article has been updated to add comments from Abdelfattah Ibrahim, senior offensive security engineer at Hacken.
Two malicious Axios npm releases have prompted warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack poisoned the popular JavaScript HTTP client library.
The compromise was first reported by cybersecurity company Socket, which said axios@1.14.1 and axios@0.30.4 were modified to pull in plain-crypto-js@4.2.1, a malicious dependency that ran automatically during installation before the releases were removed from npm.
According to security company OX Security, the altered code can give attackers remote access to infected devices, allowing them to steal sensitive data such as login credentials, API keys and crypto wallet information.
The incident shows how a single compromised open-source component can potentially ripple across thousands of applications that rely on it, exposing not just developers but also platforms and users connected to the system.
Security companies urge key rotation, system audits
OX Security warned developers who installed axios@1.14.1 or axios@0.30.4 to treat their systems as fully compromised and immediately rotate credentials, including API keys and session tokens.
Socket said the compromised Axios releases were modified to include a dependency on plain-crypto-js@4.2.1, a package published shortly before the incident and later identified as malicious.
Related: Trust Wallet browser extension knocked offline by Chrome Store ‘bug,’ CEO says
The company said the dependency was configured to run automatically during installation through a post-install script, allowing attackers to execute code on target systems without additional user interaction.
Socket advised developers to review their projects and dependency files for the affected Axios versions and the associated plain-crypto-js@4.2.1 package, and to remove or roll back any compromised versions immediately.
Abdelfattah Ibrahim, senior offensive security engineer at Hacken, told Cointelegraph that the compromise could have serious implications for crypto-related applications that rely on Axios for backend operations.
“That’s bad news for dapps and apps that deal with cryptocurrency because Axios plays a huge role in API calls,” he said, noting that affected systems could include exchange integrations, wallet balance checks and transaction broadcasts.
Ibrahim said the malware deployed in the attack functions as a full remote access trojan, allowing attackers to interact directly with compromised systems. He added that the incident highlights a broader weakness in how supply chain risks are handled.
Earlier crypto incidents highlight supply chain risks
Earlier crypto incidents have shown how supply chain breaches can escalate from stolen developer information to user-facing wallet losses.
On Jan. 3, onchain investigator ZachXBT reported that “hundreds” of wallets across Ethereum Virtual Machine-compatible networks were drained in a broad attack that siphoned small amounts from each victim.
Cybersecurity researcher Vladimir S. said the incident was potentially linked to a December breach affecting Trust Wallet, which resulted in roughly $7 million in losses across over 2,500 wallets.
Trust Wallet later said the breach may have originated from a supply chain compromise involving npm packages used in its development workflow.
Magazine: Nobody knows if quantum secure cryptography will even work