Multiple reports describe the Axios npm compromise where a fake Teams error fix hijacked a maintainer account, enabling malicious code to run via postinstall scripts and spread through CI CD installs.
It turns out Axios npm was compromised via a targeted UNC1069 social engineering attack.
Attackers used a fake Slack + Teams setup to install malware, steal npm credentials, and publish trojanized versions (1.14.1, 0.30.4).
Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios NPM package:
A supply chain attack has compromised Axios versions 1.14.1 and 0.30.4 to deploy a cross-platform Remote Access Trojan (RAT).
The attacker gained access to the lead maintainer's PC through a targeted social engineering campaign and RAT malware.
This gave them access to the npm account credentials, which they used to publish the malicious versions.
Axios maintainer says social engineering by UNC1069 led to npm breach. Attackers used a fake Slack/Teams setup to deploy a RAT and push malicious updates to millions of users.
Axios npm hack used fake Teams error fix to hijack maintainer account
UNC1069 Uses Social Engineering to Hijack Axios npm Package via Maintainer
A recent software supply chain attack involving the Axios npm package shows how malicious code can execute automatically through postinstall scripts.
we explain how a routine package install led to malware execution, even without exploiting vulnerabilities
Join us LIVE on Tuesday, April 7 ... breaking down the Axios supply chain compromise to help security teams understand the mechanics of the attack
This finding is one of many signals tracked across Cyber Security. The live feed updates every few hours with new authority voices, debates, and emerging ideas.
← Back to Cyber Security