Zero Day MonitorZDM

← Back to list

EST

PRE-CVE

axios · axios npm package

Malicious Code Injection via Axios npm Package Maintainer Account Takeover

85% confidence

Description

The Axios npm package was compromised through a maintainer account takeover, resulting in the publication of malicious versions 1.14.1 and 0.30.4. These versions introduced a hidden dependency (plain-crypto-js@4.2.1) that executes a post-install script deploying a cross-platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems, enabling unauthorized code execution.

Affected Products

Vendor	Product	Versions
axios	axios npm package	1.14.1, 0.30.4

Related News (1 articles)

Tier A

Fortinet PSIRT46d ago

Axios npm Package Compromised

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-254

PublishedApr 14, 2026

Last enriched46d ago

Tags

supply chainnpmmalicious codepost-install scriptratcross-platform

Trending Score0

Source articles1

Independent1

Info Completeness9/14

Missing: cve_id, epss, kev, patch, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2025-62718EXP

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

MEDIUMCVE-2026-42034EXP

Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0

HIGHCVE-2026-42033EXP

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

HIGHCVE-2026-44490EXP

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

HIGHCVE-2026-42035EXP

Axios: Header Injection via Prototype Pollution

Pin to Dashboard

Verification

State: verified

Confidence: 85%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Exploit Available

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026