top of page
perceptive_background_267k.jpg

Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.

Published:

2 April 2026 at 16:47:43

Alert date:

2 April 2026 at 19:04:21

Source:

socket.dev

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

The Axios npm package was compromised on March 31 through a targeted social engineering attack against the maintainer Jason Saayman. Attackers posed as a legitimate company, gained access to the maintainer's machine, and hijacked active sessions to publish malicious versions containing a remote access trojan. The malicious packages affected macOS, Windows, and Linux systems. The attack bypassed traditional security controls like 2FA because the attackers operated with the maintainer's legitimate access. This incident highlights the vulnerability of the open source supply chain and the burden placed on individual maintainers who maintain critical infrastructure with limited security resources.

Technical details

On March 31, two malicious versions of Axios were published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux. The attack was the result of targeted social engineering where an attacker posed as a legitimate company to gain access to the maintainer's machine. The attacker hijacked active browser sessions, lifting session cookies to take control of both npm and GitHub access. With the maintainer's permissions, the attacker could publish malicious packages bypassing 2FA and OIDC-based publishing protections. The attack exploited dependency resolution to expand its impact exponentially across the JavaScript ecosystem.

Mitigation steps:

Wipe all devices following compromise
Reset all credentials
Adopt hardware security keys
Implement improved publishing workflows
Monitor for malicious Axios versions published on March 31
Review dependency chains for affected packages
Implement additional security measures for maintainer accounts

Affected products:

Axios npm package (malicious versions published March 31)
npm registry
JavaScript ecosystem packages using Axios as dependency
Build systems using Axios
CLIs using Axios
Infrastructure tooling using Axios
Production applications using Axios

Related links:

https://socket.dev/blog/axios-npm-package-compromised
https://socket.dev/blog/hidden-blast-radius-of-the-axios-compromise
https://github.com/axios/axios/issues/10604#issuecomment-4167784086
https://github.com/axios/axios/issues/10604#issuecomment-4169063636
https://github.com/axios/axios/issues/10604#issuecomment-4168706704
https://socket.dev/blog/how-to-use-socket-to-find-out-if-you-were-affected-by-the-backdoored-xz-package
https://socket.dev/blog/the-unpaid-backbone-of-open-source
https://kennethreitz.org/essays/2026-03-18-open_source_gave_me_everything_until_i_had_nothing_left_to_give

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page