On March 31, 2026, two versions of the popular JavaScript HTTP library Axios were briefly uploaded to npm This article explores broken versions axios. . Every version had a hidden dependency that installed a remote access trojan (RAT) on macOS, Windows, and Linux computers.

The attack didn't take advantage of any bugs in the Axios code itself. Instead, it took advantage of a weakness in the trust people had in the developer who was in charge of keeping the library up to date. This event showed how weak the human part of open-source supply chains can be. The breach is similar to past attacks where attackers spent a lot of time building trust before carrying out their attack.

This is a long-term plan that can't be stopped by technical controls alone, since the problem is with people being able to access it, not with the software itself.

So, companies should quickly check and update any broken versions of Axios, especially 1.8.2 and 1.9.3. If you set ZeroOwl as your preferred source in Google, you can get more up-to-date information from LinkedIn and X. The incident made a lasting impression on the people who run Axio, showing how important it is to have detailed recovery plans.

Even though this project is very important around the world, it is run by a small group of people who don't have access to institutional cybersecurity resources or dedicated support. This hard truth is now unavoidable. The attacker used their own active sessions to attack Saayman's compromised machine directly. He got rid of all the devices, changed all the passwords, and started using hardware security keys along with better publishing workflows.

In a public comment on GitHub, he said that he had been the victim of "a pretty well-known social engineering attack" and went into detail about how completely the attacker had taken over his environment. This attack had a much wider impact than first thought, making it one of the more understated but damaging supply chain events in recent history. When an organization gets in touch with an Axios maintainer, they effectively protect the whole dependency tree below them.

Most teams never really chose to use it; they just got it through other dependencies that were deeply embedded in the layers.