Axios Hacked! ⚠️

There was a hack: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

The guy is saying that he was hacked. But he had a bunch of security and knew the score. The cynic in me says there is more to this than meets the eye.

I believe the situation needs a full blown investigation.

Until it's resolved I wouldn't even trust NPM.

It was resolved long before this thread. The compromised version was up for 3 hours.

The lead maintainer's account was hacked, allowing the attacker to upload the compromised version.

It's not feasible to "not trust" package managers, be it npm, composer or pip. Downloading libraries directly from a CDN definitely isn't any safer.

I download the actual code no library:

quote

!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).axios=t()}(this,(function(){"use strict";function e(e){var r,n;function o(r,n){try{var a=e[r](n),s=a.value,u=s instanceof t;Promise.resolve(u?s.v:s).then((function(t){if(u){var n="return"===r?"return":"next";if(!s.k||t.done)

///   much more in the file just example

unquote

And use like old school:

<script type="text/javascript" src="<?php echo asset('assets/js/axios.min.js'); ?>"></script>

I only use what comes with laravel in vendor. And now I probably won't trust axios, I will go back to using fetch js.

I have never even used NPM.

The compromised version was up for 3 hours.

But how much damage was done, other servers could have been hit as well. Depending on how the malware was written.

I download the actual code no library:

That IS the library. It can have malware whether you install it via npm or manually.

In this case, attackers included a package install script to install the RAT. A direct download couldn't do that, but it could contain other malicious code.

Npm has an automatic audit for vulnerable versions, unlike direct downloads.

But how much damage was done, other servers could have been hit as well. Depending on how the malware was written.

That wasn't what I meant. This is a serious attack. My point was that there's nothing to wait for because the compromised versions were removed over 24 hours ago.

I have never even used NPM.

Ok, but the rest of the industry does. And you still use other package managers, such as Composer and, presumably, some Linux package manager. Those have suffered supply chain attacks just like this.

While these attacks are a nasty, in the real world you can't get away with a zero trust approach. You're relying on many layers of software just to run a web app. It takes vigilance.

That's why I miss the good old pencil and paper days. Or at least the old MSDOS days.

Great idea. Maybe its time to put the use axios on the back burner.