Stop the presses and pass the dry shampoo: Axios, the darling JavaScript HTTP client used by practically everyone and their front-end bestie, just became the center of a supply-chain scandal. An unknown attacker hijacked the npm account of Axios’s lead maintainer and slipped out malicious releases that planted a remote access trojan—yes, a full-on RAT—right into unsuspecting installs.

Here’s the tea: late Sunday into early Monday, poisoned Axios versions hit npm before being yanked, but not before sending the security world into a group text meltdown. Huntress clocked the timing, Aikido called it “one of the most impactful npm supply chain attacks on record,” and researchers from Step Security, Socket, Endor Labs, and more started ringing alarm bells like it was New Year’s Eve.

Step Security traced the caper to two look-what-just-dropped versions—axios@1.14.1 and axios@0.30.4—that quietly added a dependency called plain-crypto-js@4.2.1. That add-on didn’t beautify anything; it acted as a loader, triggering a post-install script that deployed a cross-platform RAT targeting macOS, Windows, and Linux. Technically, there were “zero lines of malicious code inside axios itself”—the attacker simply exploited the dependency chain the way a reality star weaponizes a confessional. Socket’s Feross Aboukhadijeh dubbed it “textbook supply chain installer malware,” warning that any npm install pulling the latest during the window was potentially compromised.

And because every scandal needs a twist, the payload reportedly dodged static analysis, confused human reviewers, and even deleted or renamed artifacts to muddle forensics—like wiping the lipstick off the crime scene mirror. Step Security’s Ashish Kurmi called the operation “precision,” noting the malicious dependency was staged less than 24 hours ahead, with both bad releases pushed within the same hour. Aboukhadijeh called it a “live compromise” with a big potential blast radius.

Axios sees around 100 million weekly downloads, so even a short exposure is no small drama. SANS Institute’s Joshua Wright estimated the window could translate to roughly 600,000 downloads, with immediate credential scraping on install raising the stakes for downstream access. In plain terms: if your CI/CD pipeline grabbed the tainted versions, your secrets might have been invited to the wrong afterparty.

Damage control mode, darlings: experts advise pinning Axios to a safe known version, auditing and re-generating your lockfiles, and—this is important—do not upgrade to the latest until trusted advisories give the all-clear. Comb through CI caches and containers for the sneaky dependency, rotate credentials that might’ve been exposed, and monitor for suspicious outbound connections. Today’s lesson? Even the most popular packages can get compromised, so treat your dependency tree like a VIP guest list—strict, verified, and absolutely no plus-ones you didn’t invite.