On March 31, 2026, the Axios npm package was compromised via a maintainer account takeover. Two malicious versions were published – axios@1.14.1 and axios@0.30.4 – which introduced a hidden dependency (plain-crypto-js@4.2.1) able to execute a post‑install script deploying a cross‑platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems.
Revised on 2026-04-14 00:00:00
