{"id":287,"date":"2026-04-02T12:53:40","date_gmt":"2026-04-02T07:23:40","guid":{"rendered":"https:\/\/geniushost.net\/blog\/?p=287"},"modified":"2026-04-15T12:15:56","modified_gmt":"2026-04-15T06:45:56","slug":"axios-npm-package-compromised-malware","status":"publish","type":"post","link":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/","title":{"rendered":"Critical Security Alert: Axios npm Package Compromised to Deploy Malware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">A serious supply chain security attack has been revealed, targeting <strong>Axios, <\/strong>one of the most widely used JavaScript HTTP client libraries worldwide. If your applications, CI\/CD pipelines, or development tools depend on npm packages, this threat may directly affect you. The risk can remain even after a standard package update.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-happened\">What Happened?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On <strong>March 30, 2026<\/strong>, a serious supply chain attack hit the official Axios npm package. Researchers discovered that <strong>versions 1.14.1 and 0.30.4 of Axios<\/strong>, uploaded to the npm registry, were affected. The attack happened after someone took control of a legitimate maintainer&#8217;s account. This allowed the attacker to publish unauthorized package updates that looked completely legitimate to both end users and automated systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These tampered releases added a <strong>harmful dependency<\/strong> that runs automatically during installation. This dependency installs a <strong>cross-platform Remote Access Trojan (RAT)<\/strong>, putting Windows, macOS, and Linux systems at risk.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">&#8220;The affected releases introduced a malicious dependency that executes during installation and deploys a cross\u2011platform remote access trojan (RAT). The malware communicates with a command and control (C2) server to retrieve platform\u2011specific second\u2011stage payloads.&#8221;<\/p>\n<cite>\u2014 Sophos Counter Threat Unit Research Team<\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-who-is-behind-this-attack\">Who Is Behind This Attack?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is not simply a random attack. Research from <strong>Sophos Counter Threat Unit (CTU)<\/strong> shows that forensic analysis of the Axios npm breach uncovered evidence closely linked to the <strong>NICKEL GLADSTONE<\/strong> threat group, a <strong>state-sponsored group<\/strong> aimed at profiting the North Korean regime.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The evidence linking this attack to NICKEL GLADSTONE includes identical forensic metadata, matching command-and-control (C2) patterns, and ties to malware associated only with this group. Sophos researchers believe it is very likely that NICKEL GLADSTONE is behind these attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-does-the-malware-work\">How Does the Malware Work?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The attack chain aims to be stealthy and persistent. Here is what occurs after a compromised version of Axios is installed:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Installation Trigger:<\/strong> The malicious dependency executes a <code>setup.js<\/code> script automatically during the <code>npm install<\/code> process \u2014 no additional user action required.<\/li>\n\n\n\n<li><strong>First-Stage Payload:<\/strong> The script reaches out to a C2 server (<code>sfrclak[.]com:8000<\/code>) and downloads a platform-specific first-stage payload (e.g., <code>system.bat<\/code> on Windows).<\/li>\n\n\n\n<li><strong>Cross-Platform RAT Deployment:<\/strong> Second-stage payloads are then retrieved and executed, a PowerShell RAT on Windows, a Python-based payload (<code>ld.py<\/code>) on Linux, and a daemon (<code>com.apple.act.mond<\/code>) on macOS.<\/li>\n\n\n\n<li>Evidence Removal: After execution, the Malware removes installation artifacts and replaces its own package metadata with a clean version to actively evade forensic detection.<\/li>\n\n\n\n<li><strong>Persistence:<\/strong> The Malware establishes persistence mechanisms, particularly on Windows, via <code>C:\\ProgramData\\wt.exe<\/code> and <code>C:\\ProgramData\\system.bat<\/code>.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">This self-cleaning behavior is particularly risky. <strong>Just updating the Axios package does not ensure your system is clean<\/strong>. The malware may already have established a lasting presence before you applied any fix.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-which-platforms-are-affected\">Which Platforms Are Affected?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sophos first detected activity in customer telemetry at about <strong>00:45 UTC on March 31, 2026<\/strong>. They noted widespread impact by 01:00 UTC. The malware is cross-platform and confirmed to target:<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-7387b849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\" id=\"h-windows\">\ud83e\ude9f Windows<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">PowerShell-based RAT dropped via <code>system.bat<\/code>. Persists at <code>C:\\ProgramData\\wt.exe<\/code>.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\" id=\"h-macos\">\ud83c\udf4e macOS<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Malicious daemon disguised as <code>com.apple.act.mond<\/code> a legitimate Apple process.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\" id=\"h-linux\">\ud83d\udc27 Linux<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Python-based payload (<code>ld.py<\/code>) deployed for remote access and credential theft.<\/p>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-should-you-care-even-if-you-don-t-use-axios-directly\">Why Should You Care, Even If You Don&#8217;t Use Axios Directly?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Axios is one of the most downloaded npm packages in the ecosystem and is used by millions of JavaScript and Node.js projects. The risk isn&#8217;t just for developers who directly include Axios in their <mark style=\"background-color:var(--ast-global-color-7)\" class=\"has-inline-color\">package.json<\/mark>. Here are some exposure scenarios to think about:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Transitive dependency exposure:<\/strong> Another package you use may depend on Axios behind the scenes. You may have installed the compromised version without knowing.<\/li>\n\n\n\n<li><strong>CI\/CD pipeline risk:<\/strong> Automated build and deployment pipelines running <code>npm install<\/code> during the affected window could have pulled down the malicious version.<\/li>\n\n\n\n<li><strong>Developer workstations:<\/strong> Any developer who ran an install on March 30\u201331, 2026, within the affected timeframe may have an active RAT on their machine.<\/li>\n\n\n\n<li><strong>Cloud and container builds:<\/strong> Docker images or serverless functions built during the affected window may contain malware and could be running in production right now.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-you-should-do-right-now\">What You Should Do Right Now<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Do not wait. If there is any chance your environment was exposed, treat it as a possible compromise. Here are the steps recommended by Sophos CTU researchers and the wider security community:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-audit-your-axios-versions\">1. Audit Your Axios Versions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Check all projects and environments (including Docker images, CI\/CD runners, and developer machines) for Axios versions <strong>1.14.1<\/strong> or <strong>0.30.4<\/strong>. Run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>npm list axios --depth=10<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-update-to-a-clean-version-immediately\">2. Update to a Clean Version Immediately<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Update to the latest safe, verified release of Axios from the official npm registry. Confirm the integrity of the version using the SHA256 hashes published by Sophos (listed in the Indicators section below).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-audit-system-and-application-logs\">3. Audit System and Application Logs<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Review logs for unusual network connections, especially any outbound traffic to <code>sfrclak[.]com<\/code> or <code>142[.]11[.]206[.]73<\/code>. Look for suspicious process creation, unexpected PowerShell execution, or unusual startup items.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-check-for-persistence-indicators\">4. Check for Persistence Indicators<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On Windows systems, check for the existence of:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\ProgramData\\wt.exe\nC:\\ProgramData\\system.bat<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On macOS, check for unauthorized launch daemons or agents named <code>com.apple.act.mond<\/code>. On Linux, look for unexpected Python scripts, particularly <code>ld.py<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-rebuild-compromised-environments\">5. Rebuild Compromised Environments<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you have confirmed that the malicious version was installed, <strong>do not simply remove the package and move on.<\/strong> The Malware self-removes its tracks. Treat any affected machine as fully compromised, rebuild from a clean baseline, and rotate all secrets, tokens, API keys, and credentials that may have been accessible from that environment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-threat-indicators-iocs\">Threat Indicators (IOCs)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Sophos has published the following indicators of compromise (IOCs) to detect activity related to this threat. <strong>Note: Do not navigate to these URLs or domains in a browser.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table><thead><tr><th>Indicator<\/th><th>Type<\/th><th>Context<\/th><\/tr><\/thead><tbody><tr><td><code>5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd<\/code><\/td><td>SHA256<\/td><td>Malicious Axios 1.14.1 package<\/td><\/tr><tr><td><code>59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f<\/code><\/td><td>SHA256<\/td><td>Malicious Axios 0.30.4 package<\/td><\/tr><tr><td><code>e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09<\/code><\/td><td>SHA256<\/td><td>Artifact: setup.js (installer payload)<\/td><\/tr><tr><td><code>617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101<\/code><\/td><td>SHA256<\/td><td>Windows 2nd-stage PowerShell RAT<\/td><\/tr><tr><td><code>92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a<\/code><\/td><td>SHA256<\/td><td>macOS payload (com.apple.act.mond)<\/td><\/tr><tr><td><code>fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf<\/code><\/td><td>SHA256<\/td><td>Linux payload (ld.py)<\/td><\/tr><tr><td><code>sfrclak[.]com<\/code><\/td><td>Domain<\/td><td>C2 server<\/td><\/tr><tr><td><code>callnrwise[.]com<\/code><\/td><td>Domain<\/td><td>Linked to attackers<\/td><\/tr><tr><td><code>142[.]11[.]206[.]73<\/code><\/td><td>IP Address<\/td><td>C2 server<\/td><\/tr><tr><td><code>hxxp:\/\/sfrclak[.]com:8000\/6202033<\/code><\/td><td>URL<\/td><td>Second-stage payload download URL<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-sophos-detections\">Sophos Detections<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you are running Sophos endpoint protection, the following detection signatures cover this threat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>JS\/Agent-BLYB<\/code><\/li>\n\n\n\n<li><code>Troj\/PSAgent-CN<\/code><\/li>\n\n\n\n<li><code>Troj\/PyAgent-BZ<\/code><\/li>\n\n\n\n<li><code>OSX\/NukeSped-CB<\/code><\/li>\n\n\n\n<li><code>WIN-EVA-PRC-RENAMED-POWERSHELL-1<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-bigger-picture-supply-chain-security\">The Bigger Picture: Supply Chain Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This incident highlights the risks in today&#8217;s software supply chains. We create applications using many open-source dependencies, and each one can be a target for an attacker. Just one hacked maintainer account was enough to introduce malware into a package that has tens of millions of weekly downloads.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations should see this as a wake-up call to rethink their approach to dependency security.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>lockfiles<\/strong> (<code>package-lock.json<\/code> or <code>yarn.lock<\/code>) and verify integrity hashes.<\/li>\n\n\n\n<li>Consider <strong>private npm registries<\/strong> or dependency proxies that allow controlled vetting before packages reach your pipelines.<\/li>\n\n\n\n<li>Implement <strong>runtime monitoring<\/strong> on build environments to detect unexpected network connections during install steps.<\/li>\n\n\n\n<li>Enable <strong>two-factor authentication (2FA)<\/strong> on all npm accounts, especially those with publish rights.<\/li>\n\n\n\n<li>Use tools like <strong>Socket.dev<\/strong>, <strong>Aikido Security<\/strong>, or similar SCA (Software Composition Analysis) platforms to flag malicious or compromised packages in real time.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-references-amp-further-reading\">\ud83d\udcda References &amp; Further Reading<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\ud83d\udd17 <a href=\"https:\/\/www.sophos.com\/en-us\/blog\/axios-npm-package-compromised-to-deploy-malware\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Sophos CTU Research: Axios npm package compromised to deploy Malware<\/strong><\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/socket.dev\/blog\/axios-npm-package-compromised\" target=\"_blank\" rel=\"noreferrer noopener\">Socket.dev: Axios npm Package Compromised<\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/www.stepsecurity.io\/blog\/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan\" target=\"_blank\" rel=\"noreferrer noopener\">StepSecurity: Axios Compromised on npm \u2014 Malicious Versions Drop Remote Access Trojan<\/a><\/li>\n\n\n\n<li>\ud83d\udd17 <a href=\"https:\/\/www.aikido.dev\/blog\/axios-npm-compromised-maintainer-hijacked-rat\" target=\"_blank\" rel=\"noreferrer noopener\">Aikido Security: Axios npm Compromised \u2014 Maintainer Hijacked, RAT Deployed<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-gray-color has-text-color wp-block-paragraph\" style=\"font-size:13px\"><em>This post is intended for informational purposes. IOCs and indicators sourced from Sophos Counter Threat Unit\u2122 research. Always verify threat intelligence with your internal security team before acting on it.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A serious supply chain security attack has been revealed, targeting Axios, one of the most widely used JavaScript HTTP client libraries worldwide. If your applications, CI\/CD pipelines, or development tools depend on npm packages, this<\/p>\n","protected":false},"author":1,"featured_media":298,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[21],"tags":[],"class_list":["post-287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v28.0 (Yoast SEO v28.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Axios npm Package Compromised: Malware Steals Credentials - Genius Host Blog<\/title>\n<meta name=\"description\" content=\"Axios npm versions 1.14.1 &amp; 0.30.4 were hijacked to deploy a cross-platform RAT. Learn what was stolen, who&#039;s behind it, and how to secure your systems now.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Critical Security Alert: Axios npm Package Compromised to Deploy Malware - Genius Host Blog\" \/>\n<meta property=\"og:description\" content=\"Axios npm versions 1.14.1 &amp; 0.30.4 were hijacked to deploy a cross-platform RAT. Learn what was stolen, who&#039;s behind it, and how to secure your systems now.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Genius Host Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/geniushost\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-02T07:23:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-15T06:45:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2026\/04\/Axios-npm-Package-Compromised.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1344\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Sandeep Singh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@GeniusHostNet\" \/>\n<meta name=\"twitter:site\" content=\"@GeniusHostNet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sandeep Singh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/\"},\"author\":{\"name\":\"Sandeep Singh\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#\\\/schema\\\/person\\\/09f56e4dfc42e712b2f183177751d09f\"},\"headline\":\"Critical Security Alert: Axios npm Package Compromised to Deploy Malware\",\"datePublished\":\"2026-04-02T07:23:40+00:00\",\"dateModified\":\"2026-04-15T06:45:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/\"},\"wordCount\":1167,\"publisher\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Axios-npm-Package-Compromised.jpg\",\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/\",\"url\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/\",\"name\":\"Axios npm Package Compromised: Malware Steals Credentials - Genius Host Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Axios-npm-Package-Compromised.jpg\",\"datePublished\":\"2026-04-02T07:23:40+00:00\",\"dateModified\":\"2026-04-15T06:45:56+00:00\",\"description\":\"Axios npm versions 1.14.1 & 0.30.4 were hijacked to deploy a cross-platform RAT. Learn what was stolen, who's behind it, and how to secure your systems now.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Axios-npm-Package-Compromised.jpg\",\"contentUrl\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Axios-npm-Package-Compromised.jpg\",\"width\":1344,\"height\":768,\"caption\":\"Axios npm Package Compromised\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/axios-npm-package-compromised-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Critical Security Alert: Axios npm Package Compromised to Deploy Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/\",\"name\":\"Genius Host Blog\",\"description\":\"Hosting guides, WordPress tips, performance tutorials, security advice, and marketing insights help you build faster, safer, and more successful websites.\",\"publisher\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#organization\"},\"alternateName\":\"Genius Host\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#organization\",\"name\":\"Genius Host Blog\",\"alternateName\":\"Genius Host\",\"url\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/cropped-gh-bl-logo.png\",\"contentUrl\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/cropped-gh-bl-logo.png\",\"width\":512,\"height\":512,\"caption\":\"Genius Host Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/geniushost\",\"https:\\\/\\\/x.com\\\/GeniusHostNet\",\"https:\\\/\\\/t.me\\\/geniushosthq\"],\"description\":\"Genius Host provides fast, secure, and reliable web hosting, expert support, and optimized performance to ensure your website loads quickly and runs smoothly.\",\"email\":\"sales@geniushost.net\",\"telephone\":\"+918591286912\",\"legalName\":\"Genius Host\",\"foundingDate\":\"2012-08-05\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"1\",\"maxValue\":\"10\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/#\\\/schema\\\/person\\\/09f56e4dfc42e712b2f183177751d09f\",\"name\":\"Sandeep Singh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/cropped-IMG_20240506_215855_205-scaled-1-96x96.jpg\",\"url\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/cropped-IMG_20240506_215855_205-scaled-1-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/geniushost.net\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/12\\\/cropped-IMG_20240506_215855_205-scaled-1-96x96.jpg\",\"caption\":\"Sandeep Singh\"},\"description\":\"I\u2019m Sandeep, the founder of Genius Host. I spend my days helping people build faster, safer, and more reliable websites. When I\u2019m not working on tech, I test new tools, improve infrastructure, and find better ways to support website owners at every level.\",\"sameAs\":[\"https:\\\/\\\/geniushost.net\\\/blog\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Axios npm Package Compromised: Malware Steals Credentials - Genius Host Blog","description":"Axios npm versions 1.14.1 & 0.30.4 were hijacked to deploy a cross-platform RAT. Learn what was stolen, who's behind it, and how to secure your systems now.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/","og_locale":"en_US","og_type":"article","og_title":"Critical Security Alert: Axios npm Package Compromised to Deploy Malware - Genius Host Blog","og_description":"Axios npm versions 1.14.1 & 0.30.4 were hijacked to deploy a cross-platform RAT. Learn what was stolen, who's behind it, and how to secure your systems now.","og_url":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/","og_site_name":"Genius Host Blog","article_publisher":"https:\/\/www.facebook.com\/geniushost","article_published_time":"2026-04-02T07:23:40+00:00","article_modified_time":"2026-04-15T06:45:56+00:00","og_image":[{"width":1344,"height":768,"url":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2026\/04\/Axios-npm-Package-Compromised.jpg","type":"image\/jpeg"}],"author":"Sandeep Singh","twitter_card":"summary_large_image","twitter_creator":"@GeniusHostNet","twitter_site":"@GeniusHostNet","twitter_misc":{"Written by":"Sandeep Singh","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#article","isPartOf":{"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/"},"author":{"name":"Sandeep Singh","@id":"https:\/\/geniushost.net\/blog\/#\/schema\/person\/09f56e4dfc42e712b2f183177751d09f"},"headline":"Critical Security Alert: Axios npm Package Compromised to Deploy Malware","datePublished":"2026-04-02T07:23:40+00:00","dateModified":"2026-04-15T06:45:56+00:00","mainEntityOfPage":{"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/"},"wordCount":1167,"publisher":{"@id":"https:\/\/geniushost.net\/blog\/#organization"},"image":{"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2026\/04\/Axios-npm-Package-Compromised.jpg","articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/","url":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/","name":"Axios npm Package Compromised: Malware Steals Credentials - Genius Host Blog","isPartOf":{"@id":"https:\/\/geniushost.net\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#primaryimage"},"image":{"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2026\/04\/Axios-npm-Package-Compromised.jpg","datePublished":"2026-04-02T07:23:40+00:00","dateModified":"2026-04-15T06:45:56+00:00","description":"Axios npm versions 1.14.1 & 0.30.4 were hijacked to deploy a cross-platform RAT. Learn what was stolen, who's behind it, and how to secure your systems now.","breadcrumb":{"@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#primaryimage","url":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2026\/04\/Axios-npm-Package-Compromised.jpg","contentUrl":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2026\/04\/Axios-npm-Package-Compromised.jpg","width":1344,"height":768,"caption":"Axios npm Package Compromised"},{"@type":"BreadcrumbList","@id":"https:\/\/geniushost.net\/blog\/axios-npm-package-compromised-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/geniushost.net\/blog\/"},{"@type":"ListItem","position":2,"name":"Critical Security Alert: Axios npm Package Compromised to Deploy Malware"}]},{"@type":"WebSite","@id":"https:\/\/geniushost.net\/blog\/#website","url":"https:\/\/geniushost.net\/blog\/","name":"Genius Host Blog","description":"Hosting guides, WordPress tips, performance tutorials, security advice, and marketing insights help you build faster, safer, and more successful websites.","publisher":{"@id":"https:\/\/geniushost.net\/blog\/#organization"},"alternateName":"Genius Host","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/geniushost.net\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/geniushost.net\/blog\/#organization","name":"Genius Host Blog","alternateName":"Genius Host","url":"https:\/\/geniushost.net\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/geniushost.net\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2025\/12\/cropped-gh-bl-logo.png","contentUrl":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2025\/12\/cropped-gh-bl-logo.png","width":512,"height":512,"caption":"Genius Host Blog"},"image":{"@id":"https:\/\/geniushost.net\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/geniushost","https:\/\/x.com\/GeniusHostNet","https:\/\/t.me\/geniushosthq"],"description":"Genius Host provides fast, secure, and reliable web hosting, expert support, and optimized performance to ensure your website loads quickly and runs smoothly.","email":"sales@geniushost.net","telephone":"+918591286912","legalName":"Genius Host","foundingDate":"2012-08-05","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"1","maxValue":"10"}},{"@type":"Person","@id":"https:\/\/geniushost.net\/blog\/#\/schema\/person\/09f56e4dfc42e712b2f183177751d09f","name":"Sandeep Singh","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2025\/12\/cropped-IMG_20240506_215855_205-scaled-1-96x96.jpg","url":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2025\/12\/cropped-IMG_20240506_215855_205-scaled-1-96x96.jpg","contentUrl":"https:\/\/geniushost.net\/blog\/wp-content\/uploads\/2025\/12\/cropped-IMG_20240506_215855_205-scaled-1-96x96.jpg","caption":"Sandeep Singh"},"description":"I\u2019m Sandeep, the founder of Genius Host. I spend my days helping people build faster, safer, and more reliable websites. When I\u2019m not working on tech, I test new tools, improve infrastructure, and find better ways to support website owners at every level.","sameAs":["https:\/\/geniushost.net\/blog"]}]}},"_links":{"self":[{"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/posts\/287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/comments?post=287"}],"version-history":[{"count":9,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/posts\/287\/revisions"}],"predecessor-version":[{"id":308,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/posts\/287\/revisions\/308"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/media\/298"}],"wp:attachment":[{"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/media?parent=287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/categories?post=287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geniushost.net\/blog\/wp-json\/wp\/v2\/tags?post=287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}