If you use Axios the popular JavaScript library for making HTTP requests, you might have seen alarming headlines over the past couple of days. Words like security breach, remote access trojan, and compromised npm package can make any developer’s heart skip a beat.

It’s natural to feel worried. But before you scrap Axios from all your projects, let’s walk through what actually happened, whether you’re at risk, and what you need to do. The situation is already under control, and with a few simple steps you can keep your projects safe.

What Actually Happened?

On March 30 and 31, 2026, an attacker managed to compromise the npm account of one of the Axios maintainers. Using that access, they published two malicious versions of Axios to the official npm registry: 1.14.1 and 0.30.4. The Axios team confirmed the incident in their official GitHub advisory and removed the compromised versions within hours.

These versions didn’t change the main Axios code. Instead, they added a hidden dependency called plain-crypto-js. When a developer ran npm install, that fake package quietly contacted a server controlled by the attacker and depending on the operating system (Windows, macOS, or Linux), downloaded a remote access trojan (RAT). That’s the kind of malware that can give an attacker control over the infected computer.

But there is a good news which is that the Axios team and the security community reacted fast. The malicious versions were only available for a few hours before they were pulled from npm.

Are You Affected? Two Different Risks

There are actually two separate issues here, and it’s important to know which one applies to you.

The major one is the supply-chain attack described above. You would be at risk only if your computer or your CI/CD build system—ran npm install for Axios and fetched version 1.14.1 or 0.30.4 during that short window. This attack targeted developers and build environments, not the end‑users of a website or app.

The second issue is a denial‑of‑service vulnerability (CVE‑2026‑25639) that exists in some older, safer versions of Axios. This is a classic security bug, not an active attack. It can cause an application to crash if it receives a specially crafted configuration object, but it does not install malware. This denial‑of‑service vulnerability has been documented as CVE‑2026‑25639.

How to Check If You Were Compromised

The first thing to do is look at your project’s lockfile. package-lock.json or yarn.lock which records exactly which version of each package was installed.

Open your terminal inside your project and run

npm list axios

Check the version number that appears. If it shows 1.14.1 or 0.30.4, your system may have been compromised. If it shows any other version (like 1.14.0 or 0.30.3), you are safe from the malware attack.

As a hidden dependency named plain-crypto-js has been added, it would be the best to run the following command as well

npm list plain-crypto-js

If that command returns anything, it means the malicious package is on your system, even if you no longer have the bad Axios versions.

If you suspect an infection, you can look for specific files that the malware drops. On macOS, check for /Library/Caches/com.apple.act.mond. On Windows, look for %PROGRAMDATA%\wt.exe. On Linux, check /tmp/ld.py. If any of those files exist, your system is compromised.

What to Do Now

If you found the malicious Axios versions or the suspicious files, take these steps in order.

First, assume the attacker has had access to your machine. Change all your important credentials: passwords, API keys, npm tokens, cloud service keys, and SSH keys. This is the most critical step.

Next, remove the malware by deleting the files listed above. Then, in your package.json, change the Axios version to a safe one—for example, 1.14.0 and run npm install again. After that, manually delete the plain-crypto-js folder from node_modules. If you want then you can also delete your package-lock.json and run npm install once more to get a clean lockfile.

For complete peace of mind, especially if this happened on a personal development machine, the safest approach is to wipe the computer and reinstall the operating system. That’s the only way to be absolutely sure no backdoor remains.

If you are affected only by the denial‑of‑service vulnerability, the fix is much simpler. Just update to a patched version. If you are on an Axios 0.x.x version, update to 0.30.3 or higher and if you are on a 1.x.x version, update to 1.13.5 or higher. Running npm install axios@latest will usually do the trick.

Nothing to Stress Over

It’s easy to panic when news like this breaks, but let’s keep things in perspective. The malicious versions were available for only a few hours and have long been removed from npm. Axios itself is not malicious—this was a supply‑chain attack on its distribution, not a flaw in the library you rely on.

Your end‑users were never at risk from this particular incident. The malware targeted developers and build systems, not the people using your applications. And the fact that the community discovered and stopped the attack so quickly shows how vigilant the open‑source ecosystem really is.

This is a good reminder to practice healthy security habits, pin your dependency versions, use lockfiles, and treat your development environment with the same care you give your production servers. With that in place, you can continue using Axios confidently, just make sure you’re on a safe version.