100 Million Downloads. One Compromised Account. Your Machine Is Now a Botnet.
On March 31, 2026, two malicious versions of Axios — axios@1.14.1 and axios@0.30.4 — were discovered containing a precision-engineered, self-erasing supply chain attack. The RAT it dropped could silently steal your AWS credentials, API keys, and more — and npm audit reported a clean bill of health the entire time. Here's exactly how it worked.
SecuritynpmJavaScript
