the WORST hack of 2026

TL;DR

The Axios npm library (100M+ weekly downloads) was hijacked via a stolen maintainer token, deploying a self-erasing remote access Trojan in 1.1 seconds.

Key Points

• 1.The attacker hijacked Axios by stealing lead maintainer Jason Semen's long-lived npm access token. The attacker changed the account email to 'ifstoppro.mme' and poisoned two release branches (1.14.1 and 0.30.4) within 39 minutes of each other.
• 2.No malicious code was added directly to Axios source files. Instead, one line was added to package.json introducing 'plain-crypto.js' as a dependency, whose postinstall script acted as a dropper — bypassing CI/CD pipelines via npm CLI.
• 3.The malware used two layers of obfuscation and deployed a OS-specific remote access Trojan in 1.1 seconds. Setup.js decoded the payload using XOR and Base64, contacted a C2 server, downloaded the RAT, then deleted all traces including setup.js and the malicious package.json.
• 4.The attack's supply chain scope is enormous — 174,000 projects depend on Axios, which is itself a transitive dependency in 200–2,100 packages the average npm project relies on. Socket.dev was the first to discover the breach.
• 5.Users can check if they are affected by running 'npm list -g axios' and checking for versions 1.14.1 or 0.30.4. If compromised, treat the machine as fully breached: rotate all API keys, credentials, and tokens immediately.