ARC GROUP
ServicesPortfolioBlogAboutCareersProducts
Language
Security·2026-03-31·3 min read

How to Respond to the axios Supply-Chain Compromise

A checklist of items developers and operators should verify right away, given the malicious axios versions 1.14.1 / 0.30.4 and the chain infection involving plain-crypto-js.

How to Respond to the axios Supply-Chain Compromise
Back to list

What happened

In late March 2026, malicious versions of the widely used JavaScript package axios were published to npm, triggering a supply-chain security incident. The known affected versions are axios@1.14.1 and axios@0.30.4. Reports also indicated that a malicious dependency, plain-crypto-js, could be installed alongside them. Even if you did not install axios yourself, you should account for the possibility that it entered through AI coding tools, automatic dependency updates, or CI install processes.

First things to check

1. Run `npm list axios` or check package-lock.json to see whether axios 1.14.1 / 0.30.4 was installed.
2. Check whether the path `node_modules/plain-crypto-js` exists.
3. Search CI/CD logs for installs of those axios versions.
4. If RAT artifacts for any OS are found, treat the system as fully compromised and isolate it immediately.

Suggested inspection commands

- `npm list axios`
- `grep -R "axios" package-lock.json`
- `find node_modules -maxdepth 2 -name plain-crypto-js`
- Search recent CI pipeline logs for axios 1.14.1 / 0.30.4 installs

Look at package-lock.json and the actual node_modules together. If a malicious package was installed and then removed, the trace may remain only in the lockfile or CI logs.

Immediate actions on suspected compromise

- Disconnect any system that ran a malicious version from the network immediately.
- Rotate every secret: npm tokens, GitHub tokens, cloud keys, API secrets, SSH keys, and so on.
- Rotate all CI/CD secrets as well.
- Re-review every server or container image deployed after the install timestamp.
- Do not stop at deleting the package — assume RAT execution is possible and respond accordingly.

Why recent AI-coding users need extra caution

Modern AI coding tools can suggest and add dependencies even when the developer did not explicitly request them. So even if you did not install axios on purpose, do not rule out the possibility that the affected version slipped in through generated code, throwaway test code, or agent-based automation. If you have used AI-based coding in the past few days, widen the inspection scope to be safe.

Response to a package supply-chain compromise begins by discarding the assumption 'I never installed it.'

ARC Group security note

ARC Group's recommended response standard

If you have an install record for axios 1.14.1 or 0.30.4 and traces of plain-crypto-js or related RAT activity, we recommend treating it as an incident-response situation rather than a simple vulnerable-package swap. Separate developer machines, deployment servers, and CI environments in your investigation, and back-calculate which credentials could have been exposed first.

Was this helpful? If you have questions about business strategy or execution, get in touch.

Contact us