Security companies flagged [email protected] and 0.30.4 as compromised, urging credential rotation and rollback of affected packages.
Update March 31, 2026, 1:28 pm UTC: This article has been updated to add comments from Abdelfattah Ibrahim, senior offensive security engineer at Hacken.
Two malicious Axios npm releases have prompted warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack poisoned the popular JavaScript HTTP client library.
The compromise was first reported by cybersecurity company Socket, which said [email protected] and [email protected] were modified to pull in [email protected], a malicious dependency that ran automatically during installation before the releases were removed from npm.
You can get bonuses upto $100 FREE BONUS when you:
💰 Install these recommended apps:
💲 SocialGood - 100% Crypto Back on Everyday Shopping
💲 xPortal - The DeFi For The Next Billion
💲 CryptoTab Browser - Lightweight, fast, and ready to mine!
💰 Register on these recommended exchanges:
🟡 Binance🟡 Bitfinex🟡 Bitmart🟡 Bittrex🟡 Bitget
🟡 CoinEx🟡 Crypto.com🟡 Gate.io🟡 Huobi🟡 Kucoin.
Comments