Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads

On March 30–31, 2026, attackers compromised the jasonsaayman npm account (lead maintainer of Axios, the most downloaded JavaScript HTTP client), publishing poisoned versions 1.14.1 and 0.30.4 within 39 minutes of each other. The sole change in both versions was the injection of a phantom dependency, plain-crypto-js@4.2.1, which existed only to trigger a postinstall hook executing setup.js. The dropper used a layered XOR-plus-base64 obfuscation scheme with the key "OrDeR_7077" and employed dynamic require() calls to evade static analysis, then dispatched platform-specific payloads: an AppleScript-based RAT disguised as an Apple system cache binary on macOS, a VBScript and PowerShell chain that renamed PowerShell as wt.exe and executed the final stage entirely in memory on Windows, and a Python RAT via nohup on Linux. After deploying the RAT it deleted setup.js and the malicious package.json, swapping in a clean decoy. The attacker bypassed GitHub Actions OIDC Trusted Publisher controls by publishing manually with a stolen npm token, leaving no trace in the official repository. Automated scanners flagged the malicious dependency within six minutes, and npm removed the packages within approximately three hours of the initial malicious publish.