Crypto Developers, Beware: Axios Malware Strikes Again! Devs, Rotate Your Keys NOW

by

Ah, the sweet smell of betrayal in the air-yes, dear developers, it seems that even the humble axios, once your trusted companion in making HTTP requests, has been weaponized. A newly discovered attack, brought to you by Slow Fog, reveals that axios releases have been hijacked, carrying with them a malicious payload from the package plain-crypto-js, sending crypto developers into a frenzy as cross-platform RATs and stolen credentials are now a delightful side effect of your npm installs.

How quaint. It’s almost poetic, isn’t it? The very tools you trust to build your blockchain empire have turned on you. This is a tale as old as time, but with more npm packages and fewer dramatic monologues. Well, brace yourself for a bit of a rundown on the matter:

  • Slow Fog has flagged axios@1.14.1 and axios@0.3.4 as malicious, after a certain “maintainer account” got compromised (who didn’t see that coming?).
  • The plain-crypto-js package, a charming little thing, was slipped in and used to drop a cross-platform remote access trojan (RAT) thanks to a postinstall script that’s about as sneaky as a ninja.
  • If you’re one of those developers who installed axios@1.14.1, you’re probably already in need of rotating your credentials and checking for any suspicious activity on your hosts, because npm just rolled axios back to version 1.14.0.

In this grim saga, Slow Fog, the vigilant (and a bit dramatic) blockchain security firm, issued a timely warning: “The malicious plain-crypto-js package was added to axios like a wolf in sheep’s clothing,” and now crypto developers are left to wonder whether they’re the ones getting fleeced. The malfeasance didn’t just stop with the injection of this nefarious package; no, it also managed to target cross-platform systems. Windows, macOS, Linux? Yes, it’s an equal opportunity destroyer. Once installed, it executes an obfuscated postinstall script that lays the foundation for a RAT to sneak in and wreak havoc.

Now, if you think this attack is just some isolated incident, think again. Axios, dear reader, isn’t just some random library. With over 80 million downloads a week, the ripple effect of this compromise is bound to have touched everything from wallets to trading bots, and let’s not forget those DeFi infrastructures built on Node.js. The scope of this is staggering-and yet, you were too busy reading your morning emails to update your dependencies. Classic.

So what happened, you ask? How did this tragedy unfold? Well, according to the ever-persistent StepSecurity, the malicious releases were pushed through npm with the stolen credentials of axios’ primary maintainer, “jasonsaayman,” making the whole thing feel like a live reenactment of a hacker thriller. Apparently, all it took was a couple of hours, and voilà, npm was rolling back axios to its safer 1.14.0 version, but for those who grabbed the bad versions, their systems are still at risk until the appropriate steps are taken.

Axios Maintainer Account Hijacked: The Sequel

The truly ironic part? Axios itself didn’t contain a single line of malicious code. The attackers were far too clever for that-no, they injected plain-crypto-js, a fake cryptography package, whose sole purpose was to run a postinstall script. This, my friends, is what we in the industry call “a coordinated supply chain attack.” It’s like a magician distracting you with one hand while they rob you with the other.

As for the attackers? They’ve pulled off the heist with all the finesse of a cat burglar. They bypassed the usual GitHub-based release flow and quietly slid in their malicious code. It wasn’t until after npm removed the malicious versions and reverted to 1.14.0 that the full scope of the disaster was realized. And now, dear developers, you have some work to do. Rotate your credentials, audit your dependencies, and don’t pretend you’re not still using an outdated version of axios. We know you’re out there.

Crypto’s Bumpy Road: Supply Chain Attacks and the Path of Destruction

But wait, there’s more! This isn’t the first time npm packages have turned into attack vectors targeting crypto. In 2025, 18 popular packages, including the innocuous-sounding chalk and debug, had their wallet addresses swapped in a shady campaign to steal funds. Ledger’s CTO, Charles Guillemet, made a rather ominous prediction: “These affected packages have already been downloaded over 1 billion times.” Now that’s a statistic that’s bound to make you look twice at your package.json.

Meanwhile, researchers have been chronicling the rise of malware targeting Ethereum, XRP, and Solana wallets. SlowMist has even estimated that crypto hacks and frauds (including these backdoored packages) have racked up losses exceeding $2.3 billion in the first half of 2025 alone. So yeah, it’s been a great year for crypto developers.

In conclusion, if you’re still reading this, you know what needs to be done. Downgrade axios to 1.14.0, audit your dependencies, and-if you value your credentials-assume that anything touched by the compromised environment is compromised. Your future self will thank you. Or, you know, curse you for not listening sooner.

And Finally, Let’s Talk About Previous Warnings

Ah, the past. A place of forewarnings, for those who bothered to listen. In a previous tale of woe, Ledger’s Guillemet warned that compromised npm packages, with over 2 billion weekly downloads, presented a systemic risk to decentralized apps and wallets built on Node.js. And who could forget the stunning tale of North Korea’s Lazarus Group, who infiltrated npm to target Solana and Exodus wallet users? What a time to be alive-and what a time to be a developer, apparently.

Read More

2026-03-31 17:29