Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3672 articles · 175915 vulns · 37/41 feeds (7d)
← Back to list
EST
PRE-CVE
axios · axios npm package

Malicious Code Injection via Axios npm Package Maintainer Account Takeover

85% confidence

Description

The Axios npm package was compromised through a maintainer account takeover, resulting in the publication of malicious versions 1.14.1 and 0.30.4. These versions introduced a hidden dependency (plain-crypto-js@4.2.1) that executes a post-install script deploying a cross-platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems, enabling unauthorized code execution.

Affected Products

VendorProductVersions
axiosaxios npm package1.14.1, 0.30.4

Related News (1 articles)

Tier A
Fortinet PSIRT91d ago
Axios npm Package Compromised
→ No new info (linked only)
CISA KEV❌ No
Actively exploited❌ No
CWECWE-254
PublishedApr 14, 2026
Last enriched91d ago
Tags
supply chainnpmmalicious codepost-install scriptratcross-platform
Trending Score0
Source articles1
Independent1
Info Completeness9/14
Missing: cve_id, epss, kev, patch, iocs

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-42264
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
Trending: 15
HIGHCVE-2026-44494EXP
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Trending: 10
HIGHCVE-2026-42043
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
Trending: 6
HIGHCVE-2026-44492
Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
Trending: 3
HIGHCVE-2026-44496
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Trending: 3

Pin to Dashboard

Verification

State: verified
Confidence: 85%

Vulnerability Timeline

CVE Published
Apr 14, 2026
Exploit Available
Apr 14, 2026
Discovered by ZDM
Apr 14, 2026