The March 31, 2026 Axios incident was an npm supply-chain compromise, not a normal Axios code bug. Here is what was verified, who was at risk, and how to respond.

Searches for "Axios vulnerability" have exploded over the last 48 hours, but that phrase is slightly misleading. What happened on March 31, 2026 was not primarily another ordinary Axios code bug in request handling. It was a compromise of the official Axios package on npm. Two malicious releases axios@1.14.1 and axios@0.30.4 were published through a compromised maintainer path, pulled in plain crypto js@4.2.1, and executed a cross platform remote access trojan during installation via a postinstall hook. That is why the right mental model is "supply chain compromise" rather than "library bug." According to GitHub's official malware advisory, any machine that installed or ran those versions should be treated as fully compromised. ([GitHub][1]) The reason this incident immediately became glob

Latest writing

Axios vulnerability 2026: what actually happened in the npm supply-chain attack