Security companies flagged axios@1.14.1 and 0.30.4 as compromised, urging credential rotation and rollback of affected packages. Update March 31, 2026, 1:28 pm UTC: This article has been updated to add comments from Abdelfattah Ibrahim, senior offensive security engineer at Hacken. Two malicious Axios npm releases have prompted warnings for developers to rotate credentials and treat affected systems as compromised after a supply chain attack poisoned the popular JavaScript HTTP client library. The compromise was first reported by cybersecurity company Socket, which said axios@1.14.1 and axios@0.30.4 were modified to pull in plain-crypto-js@4.2.1, a malicious dependency that ran automatically during installation before the releases were removed from npm. Read more