GHSA-fw8c-xr5c-95f9: Embedded Malicious Code via compromised maintainer account

March 31, 2026

Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 using a compromised maintainer account. Both versions inject a hidden dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. The malicious postinstall script contacts a command-and-control server and downloads a platform-specific second-stage payload. Any system that ran npm install while either version was available should be treated as fully compromised. The malicious packages have been removed from the npm registry.

References

github.com/advisories/GHSA-fw8c-xr5c-95f9
github.com/axios/axios/issues/10604
socket.dev/blog/axios-npm-package-compromised
thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Code Behaviors & Features

Detect and mitigate GHSA-fw8c-xr5c-95f9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →