One of NPM’s most depended-on packages is under an ongoing supply chain attack.
According to Feross Aboukhadijeh, co-founder of security-oriented firm Socket Security, there is an active supply chain on Axios, which is one of npm’s most depended-on packages.
NPM stands for Node Package Manager and is basically the world’s largest software registry, hosting more than two million packages of open-source JavaScript code. An argument can be made that it’s the backbone of modern Web3 development.
According to Feross, the latest axios@1.14.1 is currently pulling in plain-crypto-just@4.2.1, which is a package that did not exist before today, suggesting that it’s a live compromise.
This is textbook supply chain installer malware. Axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analyiss confirms this is malware. Plain-crypto-js is an obfuscated dropper/loadre.”
The malicious software can perform a range of actions, including deleting and renaming artifacts post-execution to destroy forensic evidence, staging and copying payload files to the OS temp and Windows ProgramData directories, executing decoded shell commands, and more.
🚨 CRITICAL: Active supply chain attack on axios — one of npm’s most depended-on packages.
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios…
— Feross (@feross) March 31, 2026
The expert recommends that developers who use axios immediately pin their versions and audit their lockfiles, while refraining from any updates for the time being.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
