An npm Supply Chain Attack Just Hit One of the Most Popular Packages on the Internet

An npm supply chain attack compromised axios on March 30, 2026. If that sentence means nothing to you, here's the short version: one of the most trusted building blocks of the modern web was poisoned, and any website that pulled in the update could have been silently infected with malware.

This is not a theoretical risk. It happened. And it's a clear example of why websites need active, ongoing maintenance, as blindly updating a website ad-hoc is a pretty risky thing to do.

What happened with the axios npm supply chain attack

Axios is an open-source JavaScript package used by developers to make web requests. It's one of the most depended-on packages in the npm registry, with over 100 million downloads per week. If your website was built in the last five years, there's a reasonable chance axios is somewhere in the stack.

On March 30, a new version of axios 1.14.1 was published. It looked like a normal update.

On March 30, a new version of axios 1.14.1 was published. It looked like a normal update. But buried inside was a new dependency: a package called plain-crypto-js. That package didn't exist before that day.

It turned out to be a remote access trojan (RAT). In plain English: malware that gives an attacker remote control of the machine it's installed on.

What the malware did

The malicious package was designed to avoid detection. It used obfuscated code that only unpacked itself at runtime, making it invisible to basic scanning tools. Once active, it could execute shell commands on the host machine, drop files into system directories, and then delete evidence of its own activity.

It worked across operating systems. Windows, macOS, Linux. Any developer or server that installed the compromised version was potentially exposed.

How it was caught

Socket.dev, a security firm that monitors open-source packages, detected plain-crypto-js within six minutes of it being published. Their founder, Feross Aboukhadijeh, broke the news publicly on X (Twitter) and the security community moved quickly to contain the damage.

Six minutes is impressive. But six minutes is also long enough for automated build pipelines to pull the update and deploy it. I don't use automated updates, every site is manually updated.

Why this matters for your business website

Modern websites are built on layers of third-party software. A typical business website might rely on 200 to 500 individual packages, each maintained by independent developers and teams around the world.

Most of those packages are excellent, well-maintained, and trustworthy. But the supply chain is only as strong as its weakest link. If one package is compromised, every site that depends on it is exposed.

This isn't new. Software supply chain attacks have been increasing year on year. What makes this one notable is the target. Axios isn't some obscure utility. It's one of the most popular packages in the entire JavaScript ecosystem. If it can happen to axios, it can happen to anything.

What proactive maintenance looks like in practice

When I maintain a client's website, I use tools like Socket.dev to scan dependencies for known vulnerabilities and malicious packages before any update reaches the live site. It's the same tool that caught this axios compromise within six minutes.

I use tools like Socket.dev to scan dependencies for known vulnerabilities and malicious packages before any update reaches the live site.

In the case of this axios attack, the response for sites I maintain was straightforward: pin the package to the last known safe version 1.14.0, audit the lockfile for any trace of plain-crypto-js, and monitor the situation until the compromise was fully resolved.

No panic. No emergency. A controlled, informed response.

That's the difference between a website maintenance plan and hoping for the best. A maintenance plan means someone is watching, someone who knows the stack and can act quickly when something goes wrong.

The risk of doing nothing

If your website has no maintenance arrangement, updates either happen ad hoc or they don't happen at all. Both are risky.

Updating without review means you might pull in a compromised package like this one. Not updating at all means known vulnerabilities accumulate over time, and your site becomes an easier target with every month that passes.

Either way, the risk is invisible until something breaks. And by then, the cost of fixing it is significantly higher than the cost of preventing it.

The practical takeaway

Your website is built on software. That software changes constantly. Some changes are improvements. Some are security patches. And occasionally, as this attack shows, some changes are deliberately harmful.

The question for any business is simple: who is watching? If the answer is nobody, then incidents like the axios compromise go unnoticed until the damage is done.

Proactive website maintenance is not about preventing every possible attack. It's about having someone in your corner who knows what to look for, responds quickly, and keeps your site secure without you having to think about it.

If your website doesn't currently have that, and you'd like to understand what it would involve, get in touch.