{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/355446?format=json","vulnerability_id":"VCID-qkmj-smh6-2bgn","summary":"Embedded Malicious Code via compromised maintainer account\nTwo malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 using a compromised maintainer account. Both versions inject a hidden dependency (`plain-crypto-js@4.2.1`) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. The malicious `postinstall` script contacts a command-and-control server and downloads a platform-specific second-stage payload. Any system that ran `npm install` while either version was available should be treated as fully compromised. The malicious packages have been removed from the npm registry.","aliases":[{"alias":"GHSA-fw8c-xr5c-95f9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62854?format=json","purl":"pkg:npm/axios@0.30.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-axk7-6q4b-vuga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.3"},{"url":"http://public2.vulnerablecode.io/api/packages/1088747?format=json","purl":"pkg:npm/axios@1.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-axk7-6q4b-vuga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.0"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1088745?format=json","purl":"pkg:npm/axios@0.30.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qkmj-smh6-2bgn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@0.30.4"},{"url":"http://public2.vulnerablecode.io/api/packages/1088746?format=json","purl":"pkg:npm/axios@1.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qkmj-smh6-2bgn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/axios@1.14.1"}],"references":[{"reference_url":"https://github.com/axios/axios/issues/10604","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/axios/axios/issues/10604"},{"reference_url":"https://socket.dev/blog/axios-npm-package-compromised","reference_id":"","reference_type":"","scores":[],"url":"https://socket.dev/blog/axios-npm-package-compromised"},{"reference_url":"https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html","reference_id":"","reference_type":"","scores":[],"url":"https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html"},{"reference_url":"https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan","reference_id":"","reference_type":"","scores":[],"url":"https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"}],"weaknesses":[{"cwe_id":506,"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":"0.5","weighted_severity":"0.0","risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qkmj-smh6-2bgn"}