PSIRT

Axios npm Package Compromised

Summary

On March 31, 2026, the Axios npm package was compromised via a maintainer account takeover. Two malicious versions were published - axios@1.14.1 and axios@0.30.4 - which introduced a hidden dependency (plain-crypto-js@4.2.1) able to execute a post‑install script deploying a cross‑platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems.

None of Fortinet products have been impacted by this supply chain attack.

Timeline

2026-04-14: Initial publication

References

https://github.com/axios/axios/issues/10636

IR Number	FG-IR-26-126
Published Date	Apr 14, 2026
Component	OTHERS
Severity	Info
Discovered	Third-Party Library
Attack Type	Authenticated
Known Exploited	No
Impact	Execute unauthorized code or commands
Download	CVRF CSAF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Axios npm Package Compromised

Summary

Timeline

References

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Axios npm Package Compromised

Summary

Timeline

References

Threat Intelligence
Center