How to Check if axios 1.14.1 Compromised Your NPM Project
Problem
I heard that axios version 1.14.1 was compromised. Someone hijacked the maintainer account and injected malware. I use axios in almost every project. Did my projects get infected?
I didn’t know how to check. The advice online was scattered. Some said check package.json, others said check package-lock.json. Some mentioned system artifacts I’d never heard of.
Here’s what I found after digging through Reddit discussions and security research.
What Happened?
Attackers compromised the axios npm package by hijacking a maintainer account. They published version 1.14.1 with a hidden dependency: [email protected]. This dependency contains a Remote Access Trojan (RAT).
The attack flow looks like this:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐│ axios 1.14.1│ ──→ │plain-crypto-js│ ──→ │ RAT │└─────────────┘ │ @4.2.1 │ │ (malware) │ └─────────────┘ └─────────────┘ │ │ └──────┬─────────────┘ ▼ ┌───────────────┐ │ System access │ │ Credential theft│ └───────────────┘If you installed this version, the RAT could have:
- Stolen API keys and credentials
- Accessed your environment variables
- Created persistence mechanisms on your system
Step 1: Check package-lock.json
My first mistake: I only checked package.json. That file says “axios: ^1.14.0” which could resolve to 1.14.1. But the actual installed version lives in package-lock.json.
# Look for the compromised axios version
# Look for the malicious dependency
# Combined check - saferI ran this on my main project:
$ grep "[email protected]" package-lock.json "[email protected]": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/axios/-/axios-1.14.1.tgz",...
$ grep "[email protected]" package-lock.json "[email protected]": { "version": "4.2.1", "resolved": "https://registry.npmjs.org/plain-crypto-js/-/plain-crypto-js-4.2.1.tgz",...Found it. Both the compromised axios and the malicious dependency were in my lockfile.
Step 2: Check System Artifacts
The RAT creates persistence files. These survive even after you remove the npm package.
On macOS:
ls -la /Library/Caches/com.apple.act.mondOn Linux:
ls -la /tmp/ld*
# Or search all /tmp files starting with 'ld'find /tmp -name "ld*" -type f 2>/dev/nullI checked my Mac:
$ ls -la /Library/Caches/com.apple.act.mondls: /Library/Caches/com.apple.act.mond: No such file or directoryNo persistence artifact found. That’s good news - maybe the RAT didn’t execute, or I caught it early.
Step 3: Rollback to Safe Version
I needed to remove the compromised version immediately.
First attempt - just reinstall:
npm uninstall axiosBut the malicious dependency was still in my node_modules from the lockfile. The clean reinstall didn’t remove it.
Better approach - clean slate:
# Remove everythingrm -rf node_modules package-lock.json
# Reinstall with safe version
# Verifynpm list axiosAfter this:
$ npm list axios[email protected] /Users/me/projects/myprojectVersion 1.14.0 is safe. The malicious version was 1.14.1, which doesn’t exist in the official axios release history. The attackers created a fake version number.
Step 4: Credential Rotation
This is the part many people skip. If the RAT ran, it could have stolen:
- AWS credentials
- API keys in .env files
- SSH keys
- Database passwords
I rotated everything:
| Credential Type | Action |
|---|---|
| AWS keys | Generated new keys in IAM console |
| API keys | Regenerated in respective services |
| .env files | Replaced all secrets |
| SSH keys | Created new keypair |
Why This Matters
axios has over 13 million weekly downloads. Even a brief window of exposure affects thousands of developers.
Supply chain attacks exploit trust. You trust the axios maintainers. You trust npm to deliver what you asked for. When that trust is broken, the damage cascades:
Trusted package ──→ Dependency ──→ Your code ──→ Production │ │ │ │ (compromised) (malware) (infected) (breached)Common Mistakes
I made several mistakes during this investigation:
-
Only checking package.json: The lockfile is the truth. package.json is just a request.
-
Assuming npm audit would catch it: npm audit checks for known vulnerabilities in package metadata. This was a brand-new attack - not in any database yet.
-
Not checking system artifacts: Even after removing the package, persistence mechanisms can remain.
-
Forgetting credential rotation: Downgrading axios doesn’t undo what the RAT might have stolen.
Detection Script
I wrote a script to check all my projects:
#!/bin/bash# Run this in your project directory
echo "=== Checking for axios 1.14.1 compromise ==="
# Check package-lock.jsonif [ -f "package-lock.json" ]; then echo "[+] Checking package-lock.json..."
else fi
else fielse echo "[-] No package-lock.json found"fi
# Check macOS persistenceif [[ "$OSTYPE" == "darwin"* ]]; then echo "[+] Checking macOS artifacts..." if [ -f "/Library/Caches/com.apple.act.mond" ]; then echo " [!] FOUND: macOS persistence artifact" ls -la /Library/Caches/com.apple.act.mond else echo " [OK] No macOS persistence found" fifi
# Check Linux persistenceif [[ "$OSTYPE" == "linux-gnu"* ]]; then echo "[+] Checking Linux artifacts..." artifacts=$(find /tmp -name "ld*" -type f 2>/dev/null) if [ -n "$artifacts" ]; then echo " [!] FOUND: Linux persistence artifacts" echo "$artifacts" else echo " [OK] No Linux persistence found" fifi
echo "=== Scan complete ==="Run it:
chmod +x axios-compromise-check.sh./axios-compromise-check.shSafe Versions
Based on community reports, these axios versions are safe:
- 1.7.9 (current stable)
- 1.13.6
- 1.14.0 (just before the fake 1.14.1)
Version 1.14.1 was never a legitimate release. The attackers jumped the version number to bypass semver range matching.
Summary
I learned three things from this incident:
-
Check package-lock.json, not package.json: The lockfile shows what actually installed.
-
System artifacts matter: The RAT creates persistence files that survive package removal.
-
Rotate credentials: Even if you caught it early, assume exposure and rotate everything.
The remediation steps:
# 1. Check for compromise
# 2. Check system artifacts (macOS)ls -la /Library/Caches/com.apple.act.mond
# 3. Clean reinstallrm -rf node_modules package-lock.json
# 4. Rotate all credentials# (Manual process - depends on your services)
# 5. Audit git history for suspicious changesgit log --oneline --all --since="2026-03-01"Supply chain attacks will keep happening. The best defense is fast detection and rapid response.
Final Words + More Resources
My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me
Here are also the most important links from this article along with some further resources that will help you in this scope:
- 👨💻 Aikido Security: axios Supply Chain Attack
- 👨💻 Reddit Discussion: [email protected] Compromised
- 👨💻 npm Security Best Practices
Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!
Comments