On March 31, 2026, a supply chain compromise was identified in the Axios library. Versions 1.14.1 and 0.30.4 were found to include a malicious dependency, plain-crypto-js, which executes a Remote Access Trojan (RAT) upon installation.
Run the following command from your root projects directory to scan all local repositories. This search prioritizes the "smoking gun" dependency (plain-crypto-js) and the compromised version numbers across all major lockfile formats.
grep -rE "plain-crypto-js|axios.*(1\.14\.1|0\.30\.4)" . \
--include="*-lock.json" \
--include="*.lock" \
--include="*.lockb"- Targeted: It looks for
plain-crypto-js, which is a purely malicious package and should never exist in a legitimate environment. - Comprehensive: It scans
package-lock.json(NPM),yarn.lock(Yarn),pnpm-lock.yaml(PNPM), andbun.lockb(Bun). - Transitive Awareness: It identifies the malware even if Axios is a deep sub-dependency of another library you are using.
If the command above returns any matches, follow these steps immediately:
- Disconnect: Take the affected machine offline.
- Cease Operations: Do not run any further
npm,yarn, orbuildscripts on that machine.
The malware (WAVESHAPER.V2) is designed to exfiltrate environment variables. Assume all secrets on the machine are compromised. Immediately rotate:
- Cloud provider keys (AWS, Azure, GCP)
- GitHub/GitLab personal access tokens
- Database credentials
.envfile contents
The safest path for this specific compromise is a full OS wipe and reinstall, as the malware establishes persistent backdoors in system directories. At minimum:
- Clear your local cache:
npm cache clean --force - Delete
node_modulesand the contaminated lockfile. - Downgrade/Pin Axios to a safe version:
npm install axios@1.14.0ORnpm install axios@0.30.3
- Generate a fresh lockfile.
Note: Always use an automated SCA (Software Composition Analysis) tool in your CI/CD pipeline to catch these vulnerabilities before they reach local developer environments.