Skip to content

How to Check if axios 1.14.1 Compromised Your NPM Project

Problem

I heard that axios version 1.14.1 was compromised. Someone hijacked the maintainer account and injected malware. I use axios in almost every project. Did my projects get infected?

I didn’t know how to check. The advice online was scattered. Some said check package.json, others said check package-lock.json. Some mentioned system artifacts I’d never heard of.

Here’s what I found after digging through Reddit discussions and security research.

What Happened?

Attackers compromised the axios npm package by hijacking a maintainer account. They published version 1.14.1 with a hidden dependency: [email protected]. This dependency contains a Remote Access Trojan (RAT).

The attack flow looks like this:

Attack chain
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ axios 1.14.1│ ──→ │plain-crypto-js│ ──→ │ RAT │
└─────────────┘ │ @4.2.1 │ │ (malware) │
└─────────────┘ └─────────────┘
│ │
└──────┬─────────────┘
┌───────────────┐
│ System access │
│ Credential theft│
└───────────────┘

If you installed this version, the RAT could have:

  • Stolen API keys and credentials
  • Accessed your environment variables
  • Created persistence mechanisms on your system

Step 1: Check package-lock.json

My first mistake: I only checked package.json. That file says “axios: ^1.14.0” which could resolve to 1.14.1. But the actual installed version lives in package-lock.json.

Check package-lock.json
# Look for the compromised axios version
grep "[email protected]" package-lock.json
# Look for the malicious dependency
grep "[email protected]" package-lock.json
# Combined check - safer
grep -E "[email protected]|[email protected]" package-lock.json

I ran this on my main project:

My results
$ grep "[email protected]" package-lock.json
"version": "1.14.1",
"resolved": "https://registry.npmjs.org/axios/-/axios-1.14.1.tgz",
...
$ grep "[email protected]" package-lock.json
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/plain-crypto-js/-/plain-crypto-js-4.2.1.tgz",
...

Found it. Both the compromised axios and the malicious dependency were in my lockfile.

Step 2: Check System Artifacts

The RAT creates persistence files. These survive even after you remove the npm package.

On macOS:

macOS artifact check
ls -la /Library/Caches/com.apple.act.mond

On Linux:

Linux artifact check
ls -la /tmp/ld*
# Or search all /tmp files starting with 'ld'
find /tmp -name "ld*" -type f 2>/dev/null

I checked my Mac:

macOS result
$ ls -la /Library/Caches/com.apple.act.mond
ls: /Library/Caches/com.apple.act.mond: No such file or directory

No persistence artifact found. That’s good news - maybe the RAT didn’t execute, or I caught it early.

Step 3: Rollback to Safe Version

I needed to remove the compromised version immediately.

First attempt - just reinstall:

First attempt - failed
npm uninstall axios
npm install [email protected]

But the malicious dependency was still in my node_modules from the lockfile. The clean reinstall didn’t remove it.

Better approach - clean slate:

Clean install approach
# Remove everything
rm -rf node_modules package-lock.json
# Reinstall with safe version
npm install [email protected]
# Verify
npm list axios

After this:

Verification output
$ npm list axios
[email protected] /Users/me/projects/myproject

Version 1.14.0 is safe. The malicious version was 1.14.1, which doesn’t exist in the official axios release history. The attackers created a fake version number.

Step 4: Credential Rotation

This is the part many people skip. If the RAT ran, it could have stolen:

  • AWS credentials
  • API keys in .env files
  • SSH keys
  • Database passwords

I rotated everything:

Credential TypeAction
AWS keysGenerated new keys in IAM console
API keysRegenerated in respective services
.env filesReplaced all secrets
SSH keysCreated new keypair

Why This Matters

axios has over 13 million weekly downloads. Even a brief window of exposure affects thousands of developers.

Supply chain attacks exploit trust. You trust the axios maintainers. You trust npm to deliver what you asked for. When that trust is broken, the damage cascades:

Supply chain impact
Trusted package ──→ Dependency ──→ Your code ──→ Production
│ │ │ │
(compromised) (malware) (infected) (breached)

Common Mistakes

I made several mistakes during this investigation:

  1. Only checking package.json: The lockfile is the truth. package.json is just a request.

  2. Assuming npm audit would catch it: npm audit checks for known vulnerabilities in package metadata. This was a brand-new attack - not in any database yet.

  3. Not checking system artifacts: Even after removing the package, persistence mechanisms can remain.

  4. Forgetting credential rotation: Downgrading axios doesn’t undo what the RAT might have stolen.

Detection Script

I wrote a script to check all my projects:

axios-compromise-check.sh
#!/bin/bash
# Run this in your project directory
echo "=== Checking for axios 1.14.1 compromise ==="
# Check package-lock.json
if [ -f "package-lock.json" ]; then
echo "[+] Checking package-lock.json..."
if grep -q "[email protected]" package-lock.json; then
echo " [!] FOUND: [email protected] - COMPROMISED"
else
echo " [OK] [email protected] not found"
fi
if grep -q "[email protected]" package-lock.json; then
echo " [!] FOUND: [email protected] - MALWARE DEPENDENCY"
else
echo " [OK] [email protected] not found"
fi
else
echo "[-] No package-lock.json found"
fi
# Check macOS persistence
if [[ "$OSTYPE" == "darwin"* ]]; then
echo "[+] Checking macOS artifacts..."
if [ -f "/Library/Caches/com.apple.act.mond" ]; then
echo " [!] FOUND: macOS persistence artifact"
ls -la /Library/Caches/com.apple.act.mond
else
echo " [OK] No macOS persistence found"
fi
fi
# Check Linux persistence
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
echo "[+] Checking Linux artifacts..."
artifacts=$(find /tmp -name "ld*" -type f 2>/dev/null)
if [ -n "$artifacts" ]; then
echo " [!] FOUND: Linux persistence artifacts"
echo "$artifacts"
else
echo " [OK] No Linux persistence found"
fi
fi
echo "=== Scan complete ==="

Run it:

Running the check
chmod +x axios-compromise-check.sh
./axios-compromise-check.sh

Safe Versions

Based on community reports, these axios versions are safe:

  • 1.7.9 (current stable)
  • 1.13.6
  • 1.14.0 (just before the fake 1.14.1)

Version 1.14.1 was never a legitimate release. The attackers jumped the version number to bypass semver range matching.

Summary

I learned three things from this incident:

  1. Check package-lock.json, not package.json: The lockfile shows what actually installed.

  2. System artifacts matter: The RAT creates persistence files that survive package removal.

  3. Rotate credentials: Even if you caught it early, assume exposure and rotate everything.

The remediation steps:

Full remediation
# 1. Check for compromise
grep -E "[email protected]|[email protected]" package-lock.json
# 2. Check system artifacts (macOS)
ls -la /Library/Caches/com.apple.act.mond
# 3. Clean reinstall
rm -rf node_modules package-lock.json
npm install [email protected]
# 4. Rotate all credentials
# (Manual process - depends on your services)
# 5. Audit git history for suspicious changes
git log --oneline --all --since="2026-03-01"

Supply chain attacks will keep happening. The best defense is fast detection and rapid response.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments