Axios JavaScript NPM package hit by network compromise
Incident
Summary
Hide ▲
Show ▼
Axios suffered a supply-chain compromise after malicious versions were published to NPM, creating a high-risk exposure for developers and downstream consumers. The malicious releases were active for around three hours, and one embedded dependency could deliver a RAT across Windows, Linux, and Mac. The incident matters because Axios is downloaded more than 400 million times per month, so even a short window could affect a very large ecosystem.
Related Happenings
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Inactive maintainer account 'atiertant' hit by network compromise
Incident
H score13
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
TanStack hit by network compromise
Incident
H score29
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Timeline
-
13.04.2026 20:39 1 articles · 2mo ago
OpenAI rotates macOS code-signing certificates after Axios compromise
Mitigation Patch UpdateOpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed compromised Axios version 1.14.1 during the March 31, 2026 supply chain attack. The certificate was used to sign OpenAI macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas, and macOS users must update to versions signed with the new certificate before the old certificate is fully revoked on May 8, 2026.
Show sources
- OpenAI rotates macOS certs after Axios attack hit code-signing workflow — www.bleepingcomputer.com — 13.04.2026 20:39
-
30.03.2026 03:00 1 articles · 3mo ago
Axios NPM compromise disclosed
Initial DisclosureStepSecurity identified two malicious Axios NPM releases, [email protected] and [email protected], after the maintainer account "jasonsaayman" was compromised; the releases introduced plain-crypto-js, which impersonated crypto-js and executed a script that installed a cross-platform RAT, and NPM later removed the campaign while defenders were urged to verify dependencies and check indicators of compromise.
Show sources
- Axios NPM Package Compromised in Precision Attack — www.darkreading.com — 31.03.2026 23:55