According to Feross Aboukhadijeh, co-founder of security-oriented firm Socket Security, there is an active supply chain on Axios, which is one of npm’s most depended-on packages. NPM stands for Node Package Manager and is basically the world’s largest software registry, hosting more than two million packages of open-source JavaScript code.
Key takeaways
Quick scan — what you need to know:
- According to Feross Aboukhadijeh, co-founder of security-oriented firm Socket Security, there is an active supply chain on Axios, which is one of npm’s most depended-on packages.
- NPM stands for Node Package Manager and is basically the world’s largest software registry, hosting more than two million packages of open-source JavaScript code.
- An argument can be made that it’s the backbone of modern Web3 development.
- According to Feross, the latest axios@1.14.1 is currently pulling in plain-crypto-just@4.2.1, which is a package that did not exist before today, suggesting that it’s a live compromise.
Background
What led here, in plain terms:
- This is textbook supply chain installer malware.
- Axios has 100M+ weekly downloads.
- Every npm install pulling the latest version is potentially compromised right now.
- Socket AI analyiss confirms this is malware.
Why it matters
Why readers and decision-makers should care:
- This is textbook supply chain installer malware.
- axios… — Feross (@feross) March 31, 2026 The expert recommends that developers who use axios immediately pin their versions and audit their lockfiles, while refraining from any updates for the time…
- The post Expert Warns of Critical, Ongoing Supply Chain Attack on Axios appeared first on CryptoPotato.