Introduction

We know that supply chain incidents like this can be unsettling, especially when they touch tools that sit deep in your development and production workflows. Huntress is actively responding to a critical supply chain attack involving the axios JavaScript HTTP client library. This compromise impacts the npm ecosystem and may affect developer workstations, CI/CD pipelines, and production services that consume the affected versions.

Our focus is on understanding who is impacted, containing any malicious activity quickly, and supporting you through remediation.

For full technical details, indicators of compromise, and platform-specific artifacts, please refer to our blog: Supply-Chain Compromise of axios npm Package.

What Happened

Attackers compromised a maintainer account for axios — one of the most widely used JavaScript libraries, with over 300 million weekly downloads — and published two backdoored releases to npm: axios@1.14.1 and axios@0.30.4.

These versions introduce a fake dependency whose sole purpose is to drop and execute a cross‑platform remote access trojan (RAT) on macOS, Windows, and Linux systems. Once installed, the malware contacts a command‑and‑control server, retrieves platform‑specific payloads, and then attempts to clean up traces of the malicious install, making it harder to detect after the fact.

What Huntress Has Done

From the moment this activity was confirmed, Huntress has been working on two parallel tracks:

• Detection and hunting: We have deployed targeted detections covering all platform variants of this attack and are actively hunting across Huntress‑monitored endpoints for related activity.

• Partner notification: Where we identify likely or confirmed activity, we are reaching out to affected partners directly and working with them on investigation and remediation.

As new IOCs or technical details emerge, we will continue to update our detections and guidance so you are not navigating this alone.

How Partners Can Assess and Secure Their Environment

Because this is a supply chain attack, response may require coordination between security teams, developers, and DevOps/IT. Here is what we recommend:

1. Check your dependencies. Ask your development and DevOps teams to search for axios@1.14.1 or axios@0.30.4 in lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml). If either version was installed, assume those systems may be compromised.

2. Pin to known‑good versions. Ensure applications and build systems use axios@1.14.0 (1.x) or axios@0.30.3 (0.x) and prevent resolution back to the malicious releases.

3. Rotate credentials. For any system suspected to have run the compromised packages, treat it as a full credential‑theft scenario — rebuild from a trusted image and rotate all sensitive tokens, keys, and passwords that may have been accessible.

4. Review the blog for IOCs. Our full technical writeup includes specific file paths, network indicators, and detection guidance you can use for your own environment checks.

5. Leverage Huntress support. If you suspect axios‑related compromise or see overlapping indicators, please create a ticket with SOC Support by emailing incidents@huntress.com.