Hackers have hijacked and modified a popular open source software development tool to distribute malware that could put millions of developers at risk of compromise.
On Monday, hackers pushed a malicious version of a widely used JavaScript library called Axios that developers rely on to connect their software to the Internet. The affected libraries were hosted on npm, a software repository that stores code for open source projects. Axios is downloaded tens of millions of times every week.
Security firm Step Security, which analyzed the attack, said the hijacking was discovered and thwarted in about three hours during the night from Monday to Tuesday.
Hackers are increasingly targeting developers of popular open source projects with the aim of mass hacking everyone who relies on their compromised code, potentially giving them access to a vast number of affected devices. This type of widespread breach is called a supply chain attack because it targets software that allows hackers to hack into users who have downloaded the compromised software. In recent years, hackers have targeted large numbers of users by targeting companies like 3CX, Kaseya, and SolarWinds, as well as open source tools like Log4j and Polyfill.io.
It is currently unknown how many people downloaded the malicious version of Axios during that period. Security firm Aikido, which also investigated the incident, said anyone who downloaded the code “should assume their systems have been compromised.”
Contact Us Do you have more information about this hack? Or is it another supply chain attack? You can contact Lorenzo Franceschi-Bicchierai securely from a non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
Hackers were able to slip malicious code into Axios by compromising the account of one of the project's key developers, who was authorized to push updates. The hacker replaced the legitimate developer's email address on the account with his own, making it even more difficult for the developer to regain access.
The hacker who took control of the account inserted malicious code designed to deliver a remote access Trojan (RAT). This is essentially malware that allows hackers to take full remote control of the victim's computer. The hackers then pushed a new version of Axios with legitimate-looking updates for Windows, macOS, and Linux users.
tech crunch event
San Francisco, CA | October 13-15, 2026
Security researchers said the hackers also designed the malware and some of the code used to distribute it to be automatically removed after installation to hide it from anti-malware engines and investigators.