MEDIUMSupply Chain
Global

Axios Compromise on npm Introduces Hidden Malicious Package

Tuesday, March 31, 2026 at 08:31 PM UTC·Source: Sonatype (Maven/npm)

Updated: Monday, April 6, 2026 at 12:18 AM UTC

Executive Summary

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/axios-compromise-on-npm-introduces-hidden-malicious-package" title="" class="hs-featured-image-link"> <img src="https://www.sonatype.com/hubfs/blog_axios_compromised.jpg" alt="Image of a slide with information on new malicious packages found in npm and Sonatype research" class="hs-featured-image" style="width:auto !impo

Analysis

<div class="hs-featured-image-wrapper"> <a href="https://www.sonatype.com/blog/axios-compromise-on-npm-introduces-hidden-malicious-package" title="" class="hs-featured-image-link"> <img src="https://www.sonatype.com/hubfs/blog_axios_compromised.jpg" alt="Image of a slide with information on new malicious packages found in npm and Sonatype research" class="hs-featured-image" style="width:auto !important; max-width:50%; float:left; margin:0 15px 15px 0;"> </a> </div> <p><span>A newly discovered software supply chain attack targeting the npm ecosystem briefly compromised one of the most widely used JavaScript libraries in the world.</span></p>

Indicators of Compromise (3)

URL (2)
https://www.sonatype.com/blog/axios-compromise-on-npm-introduces-hidden-malicious-package
VirusTotalURLhaus
https://www.sonatype.com/hubfs/blog_axios_compromised.jpg
VirusTotalURLhaus
Domain (1)
www.sonatype.com
VirusTotalURLhaus
Source Attribution

Originally published by Sonatype (Maven/npm) on Mar 31, 2026.

Related Threats

MEDIUMSupply Chain

Mercor Breach Linked to LiteLLM Supply-Chain Attack

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/mercor-breach-linked-to-litellm-supply-chain-attack-image_small-1-a-31340.jpg" align=right hspace=4><b>AI Dependency Attack Reportedly Exposes Data and Source Code</b><br>A LiteLLM supply-chain compromise enabled attackers to harvest credentials and access internal environments at scale at Mercor. The firm was the first to confirm

Bank Info Security
MEDIUMSupply Chain

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,

The Hacker News
MEDIUMSupply Chain

Axios npm hack used fake Teams error fix to hijack maintainer account

The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...]

BleepingComputer