Get expert guidance in a few days with a Laravel code review

Laravel News Laravel News

Axios npm Package Compromised With Remote Access Trojan

Last updated on by

Axios npm Package Compromised With Remote Access Trojan image

Two malicious versions of the popular axios HTTP client library were published to npm on March 30–31, 2026, after an attacker compromised a maintainer's account. The affected versions, axios@1.14.1 and axios@0.30.4, installed a remote access trojan (RAT) on developer machines across macOS, Windows, and Linux.

Axios is one of the most widely used JavaScript HTTP clients and is a common dependency in Laravel projects using Vite, Inertia, or any Node-based build pipeline.

What Happened

According to the StepSecurity blog post the attacker hijacked the npm account of the primary axios maintainer (jasonsaayman), changing the registered email to a Proton Mail address. Using this access, they published two new versions that added a single fake dependency: plain-crypto-js@4.2.1.

That package masqueraded as the legitimate crypto-js library but included an obfuscated postinstall script (setup.js) that acted as a cross-platform RAT dropper. The only file changed in axios itself was package.json, every other file across 85+ source files remained identical to the clean release.

How the Attack Worked

Venturebeat reports:

The attacker never touched the Axios source code. Instead, both release branches received a single new dependency: plain-crypto-js@4.2.1. No part of the codebase imports it. The package exists solely to run a postinstall script that drops a cross-platform RAT onto the developer's machine.

The staging was precise. Eighteen hours before the axios releases, the attacker published a clean version of plain-crypto-js under a separate npm account to build publishing history and dodge new-package scanner alerts. Then came the weaponized 4.2.1. Both release branches hit within 39 minutes. Three platform-specific payloads were pre-built. The malware erases itself after execution and swaps in a clean package.json to frustrate forensic inspection.

StepSecurity, which identified the compromise alongside Socket, called it among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.

How this affects Laravel

This is not a Laravel vulnerability, but they announced they are taking proactive steps to protect the community from this supply chain attack, and telling people:

If you installed or updated axios in the last 24 hours, scan your machine.

Here is what the Laravel has done:

  • Pinned axios to safe versions in laravel/laravel
  • laravel/installer now runs package installs with --ignore-scripts by default
  • Blocked the attacker's domain across Laravel Cloud

Pushpak also shared a prompt you can use to scan your local computer to check for any vulnerable installs.

What You Should Do

If you installed axios@1.14.1 or axios@0.30.4 during the window they were available, treat any machine that ran npm install as compromised. StepSecurity recommends:

  1. Remove the poisoned packages and pin to a safe version (axios@1.14.0 or 0.30.3)
  2. Check for RAT artifacts at the file paths listed above
  3. Rotate all credentials and tokens on affected machines
  4. Reformat compromised systems

Post Mortem Update

According to this GitHub issue here is how this all happened:

they tailored this process specifically to me by doing the following:

  • they reached out masquerading as the founder of a company they had cloned the companys founders likeness as well as the company itself.
  • they then invited me to a real slack workspace. this workspace was branded to the companies ci and named in a plausible manner. the slack was thought out very well, they had channels where they were sharing linked-in posts, the linked in posts i presume just went to the real companys account but it was super convincing etc. they even had what i presume were fake profiles of the team of the company but also number of other oss maintainers.
  • they scheduled a meeting with me to connect. the meeting was on ms teams. the meeting had what seemed to be a group of people that were involved.
  • the meeting said something on my system was out of date. i installed the missing item as i presumed it was something to do with teams, and this was the RAT.
  • everything was extremely well co-ordinated looked legit and was done in a professional manner.
Eric L. Barnes photo

Eric is the creator of Laravel News and has been covering Laravel since 2012.

Facebook Facebook X X Threads Threads Instagram Instagram Github Github
Filed in:
News
Cube

Laravel Newsletter

Join 40k+ other developers and never miss out on new tips, tutorials, and more.

Cube

Laravel Jobs

Explore hundreds of open positions today.

View all jobs
image
Acquaint Softtech

Hire Laravel developers with AI expertise at $20/hr. Get started in 48 hours.

Visit Acquaint Softtech

Partners

View all →
Tinkerwell logo

Tinkerwell

The must-have code runner for Laravel developers. Tinker with AI, autocompletion and instant feedback on local and production environments.

Tinkerwell
Get expert guidance in a few days with a Laravel code review logo

Get expert guidance in a few days with a Laravel code review

Expert code review! Get clear, practical feedback from two Laravel devs with 10+ years of experience helping teams build better apps.

Get expert guidance in a few days with a Laravel code review
PhpStorm logo

PhpStorm

The go-to PHP IDE with extensive out-of-the-box support for Laravel and its ecosystem.

PhpStorm
Laravel Cloud logo

Laravel Cloud

Easily create and manage your servers and deploy your Laravel applications in seconds.

Laravel Cloud
Acquaint Softtech logo

Acquaint Softtech

Acquaint Softtech offers AI-ready Laravel developers who onboard in 48 hours at $3000/Month with no lengthy sales process and a 100 percent money-back guarantee.

Acquaint Softtech
Kirschbaum logo

Kirschbaum

Providing innovation and stability to ensure your web application succeeds.

Kirschbaum
Shift logo

Shift

Running an old Laravel version? Instant, automated Laravel upgrades and code modernization to keep your applications fresh.

Shift
Harpoon: Next generation time tracking and invoicing logo

Harpoon: Next generation time tracking and invoicing

The next generation time-tracking and billing software that helps your agency plan and forecast a profitable future.

Harpoon: Next generation time tracking and invoicing
Lucky Media logo

Lucky Media

Get Lucky Now - the ideal choice for Laravel Development, with over a decade of experience!

Lucky Media
SaaSykit: Laravel SaaS Starter Kit logo

SaaSykit: Laravel SaaS Starter Kit

SaaSykit is a Multi-tenant Laravel SaaS Starter Kit that comes with all features required to run a modern SaaS. Payments, Beautiful Checkout, Admin Panel, User dashboard, Auth, Ready Components, Stats, Blog, Docs and more.

SaaSykit: Laravel SaaS Starter Kit
MongoDB logo

MongoDB

Enhance your PHP applications with the powerful integration of MongoDB and Laravel, empowering developers to build applications with ease and efficiency. Support transactional, search, analytics and mobile use cases while using the familiar Eloquent APIs. Discover how MongoDB's flexible, modern database can transform your Laravel applications.

MongoDB

The latest

View all →
An Opinionated Agent Skill for Building REST APIs in Laravel image

An Opinionated Agent Skill for Building REST APIs in Laravel

Read article
Launch Your Dream SaaS Application with SaaSykit image

Launch Your Dream SaaS Application with SaaSykit

Read article
Generate, Parse, and Convert Documents in PHP with Paperdoc image

Generate, Parse, and Convert Documents in PHP with Paperdoc

Read article
Spatie Shares Their Coding Guidelines as AI Skills image

Spatie Shares Their Coding Guidelines as AI Skills

Read article
AI Generative Engine Optimization for Laravel image

AI Generative Engine Optimization for Laravel

Read article
Attach PDFs Directly to Mailables in laravel-pdf 2.6.0 image

Attach PDFs Directly to Mailables in laravel-pdf 2.6.0

Read article