issued<\/a> an urgent security reminder after newly published [email\u00a0protected] and [email\u00a0protected] releases pulled in a malicious dependency, [email\u00a0protected], turning one of JavaScript\u2019s most widely used HTTP clients into a supply chain weapon against crypto developers. Axios sees more than 80 million weekly downloads on npm, meaning even a short-lived compromise can ripple across wallet backends, trading bots, exchanges and DeFi infrastructure built on Node.js. In its advisory, Slow Fog warned that \u201cusers who installed [email\u00a0protected] via npm install -g are potentially exposed,\u201d recommending immediate credential rotation and thorough host-side investigation for signs of compromise.<\/p>\n <\/p>\n
The attack hinges on a fake cryptography package, [email\u00a0protected], which is silently added as a new dependency and used solely to execute an obfuscated postinstall script that drops a cross-platform remote access trojan targeting Windows, macOS and Linux systems. <\/p>\n
Security firm StepSecurity explained that \u201cneither malicious version contains a single line of malicious code inside Axios itself,\u201d and that instead \u201cboth inject a fake dependency, [email\u00a0protected], whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT).\u201d Socket\u2019s research team noted that the malicious plain-crypto-js package was published just minutes before the compromised axios release, calling it a \u201ccoordinated supply chain attack\u201d against the JavaScript ecosystem.<\/p>\n
Axios maintainer account hijacked<\/h1>\n
According to StepSecurity, the malicious axios releases were pushed using stolen npm credentials belonging to primary maintainer \u201cjasonsaayman,\u201d allowing attackers to bypass the project\u2019s usual GitHub-based release flow. \u201cIt\u2019s a live supply chain compromise in [email\u00a0protected], which newly depends on [email\u00a0protected]\u2014a package published hours earlier and identified as obfuscated malware that executes shell commands and erases traces,\u201d security engineer Julian Harris wrote on LinkedIn. npm has now removed the malicious versions and reverted the axios resolution back to 1.14.0, but any environment that pulled 1.14.1 or 0.3.4 during the attack window remains at risk until secrets are rotated and systems are rebuilt.<\/p>\n
The compromise echoes earlier npm incidents that directly targeted crypto users, including a 2025 campaign in which 18 popular packages like chalk and debug silently swapped wallet addresses to steal funds, prompting Ledger CTO Charles Guillemet to warn that \u201cthe affected packages have already been downloaded over 1 billion times.\u201d Researchers have also documented npm malware stealing keys from Ethereum, XRP and Solana wallets, and SlowMist has estimated that crypto hacks and frauds \u2014 including backdoored packages and AI-assisted supply chain attacks \u2014 caused more than $2.3 billion in losses in the first half of 2025 alone. For now, Slow Fog\u2019s advice is blunt: downgrade axios to 1.14.0, audit dependencies for any trace of [email\u00a0protected] or openclaw, and assume that any credentials touched by those environments are compromised.<\/p>\n
Previous software supply chain warnings<\/h1>\n
In a previous crypto.news story on JavaScript supply chain attacks, Ledger\u2019s Guillemet warned that compromised npm packages with more than 2 billion weekly downloads posed a systemic risk to dApps and wallets built on Node.js. Another story detailed how North Korea\u2019s Lazarus Group planted malicious npm packages to backdoor developer environments and target Solana and Exodus wallet users. A third crypto.news story on next-generation malware showed how backdoor supply chain attacks via npm and low-cost AI tools helped criminals remotely control over 4,200 developer machines and contributed to billions of dollars in crypto losses.<\/p>\n
<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
Slow Fog flags malicious axios releases pulling in plain-crypto-js malware, exposing crypto developers to cross-platform RATs and stolen credentials via npm. Summary Slow Fog flags [email\u00a0protected] and [email\u00a0protected] as malicious…<\/p>\n","protected":false},"author":1,"featured_media":11634,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24758","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/24758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=24758"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/24758\/revisions"}],"predecessor-version":[{"id":24759,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/24758\/revisions\/24759"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/11634"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=24758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=24758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=24758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}