Multiple reports describe attackers taking over a trusted axios maintainer account, then publishing malicious versions that many teams pulled automatically via semver ranges. The incident is used as a cautionary tale about credential protection and the blast radius of compromised maintainer access.
Attackers hijacked the maintainer account and pushed malicious versions that executed during install via a hidden dependency, deploying a cross-platform backdoor (Windows, macOS, Linux) and then removing
Axios npm package briefly compromised after attacker takeover of a trusted maintainer account
After targeting a lead maintainer in an account takeover attack, the adversary bypassed the project's GitHub Actions CI/CD pipeline by
One compromised maintainer credential later, every team using ^1.x just pulled a RAT into their environment.
The unnamed attacker was able to compromise the GitHub and npm accounts of one of the maintainers of axios in the early morning hours Tuesday
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new expert voices, debates, and emerging ideas.
← Back to Cyber Security