Hacker News rapidly amplified a serious npm supply-chain incident on March 31, 2026 after StepSecurity disclosed two malicious axios releases. The HN thread crossed 720 points and 233 comments the same day, reflecting how widely the JavaScript ecosystem depends on axios.

What happened

According to StepSecurity’s incident report, the compromised releases were axios@1.14.1 and axios@0.30.4. StepSecurity says they were published with stolen npm credentials from a lead maintainer, outside the project’s normal GitHub Actions plus OIDC publishing flow. The report says the attacker changed the account email to a ProtonMail address and manually pushed poisoned builds with the npm CLI.

The malicious axios packages added a runtime dependency, plain-crypto-js@4.2.1.
That package was not imported anywhere in axios source code; its role was to trigger a postinstall script.
StepSecurity says the script acted as a cross-platform RAT dropper for macOS, Windows, and Linux and called out to a live C2 server.

The report also lays out a detailed timeline. A clean-looking decoy package was published first, then a malicious plain-crypto-js@4.2.1, then the two axios versions 39 minutes apart. npm later removed the affected axios releases and replaced the dependency with a security-holder stub. StepSecurity’s conclusion is blunt: if a system installed axios@1.14.1 or axios@0.30.4, it should be treated as compromised.

Why it matters

This incident stands out because the attacker avoided obvious source-code tampering inside axios itself. Instead, the malicious logic lived in an added dependency and abused installation-time execution. That makes registry metadata, trusted publishing, and anomaly detection more important than a simple diff of application code.

For teams that pin or audit JavaScript dependencies, this is a reminder to check registry provenance, CI publishing identity, and any unexpected postinstall behavior before treating a release as safe. The original source is StepSecurity’s incident write-up; community discussion is in the Hacker News thread.

#axios

Axios npm Compromise Shows How Fast a Maintainer Token Can Become a Supply-Chain Incident