What is a supply chain attack?

A supply chain attack targets vulnerabilities in software dependencies or third-party components. Attackers compromise these components to inject malicious code into applications, impacting a wide range of users. This Axios incident is a prime example of a supply chain attack.

How can I tell if my system is already compromised?

Due to the nature of the RAT installed, it's difficult to definitively determine if a system is compromised. Rotating all secrets and keys from a clean machine is the recommended course of action. Thoroughly review system logs and network activity for any suspicious behavior.

Is it safe to simply delete the axios package?

Deleting the package alone is not sufficient. The RAT may have already installed persistent components. Rotating secrets and keys is crucial, and a full system scan is recommended to ensure complete remediation.

What should I do if I'm not using Axios directly, but use a package that depends on it?

Even if you don't directly use Axios, any package that depends on a compromised version can be affected. Update all your dependencies to the latest versions to ensure you're using secure versions of all components.

NEXTGUARD

Back to blog

CVSS 9.8GHSA-fw8c-xr5c-95f9CVE-2026-34841

Critical: Malicious Code Found in Axios - Immediate Action Required

Critical vulnerabilities in Axios and related packages expose Node.js systems to Remote Access Trojans. Immediate patching is required to mitigate this severe supply chain attack. Learn how to protect your systems.

Published on April 6, 2026

A severe supply chain attack has compromised the popular Axios npm package, introducing malicious code that installs a Remote Access Trojan (RAT). This impacts systems using compromised versions of Axios and related packages like @usebruno/cli. Immediate action is required to mitigate the risk of remote access and data compromise. Patches are available.

This vulnerability has a CVSS score of 9.8, indicating a critical level of severity due to the potential for remote code execution and system compromise.

What is Axios?

Axios is a promise-based HTTP client for making requests from node.js and browsers. It's a widely used library for interacting with APIs and web services, providing a simple and convenient way to send HTTP requests and handle responses. Given its popularity, vulnerabilities in Axios can have a broad impact across many projects. search all axios CVEs.

Malicious Code in Axios (npm)

CVSSN/A

Affected versionsAny computer with 'axios' versions less than or equal to 1.14.1 is considered fully compromised. This includes systems where the package is installed or running.

Critical - Remote code execution and potential full system compromise.

The npm package 'axios' was compromised, and a malicious dependency named 'plain-crypto-js' was added. This dependency installs a remote access trojan, granting attackers unauthorized access to affected systems.

How to fix GHSA-fw8c-xr5c-95f9 in Axios

Patch immediately

1.Update the axios package to a safe version.

Update Axios

npm update axios

Verify with:

verify

npm list axios

Workaround: Rotate all secrets and keys stored on affected computers from a clean machine. Removing the package does not guarantee removal of all malicious software.

NextGuard automatically flags CVE-2026-34841 if Axios appears in any of your monitored projects — no manual lookup required.

Axios npm Supply Chain Incident Impacting @usebruno/cli

CVSS9.8

Affected versionsUsers of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026, and were using axios versions less than or equal to 3.2.1.

Critical - Remote code execution via RAT deployment.

A supply chain attack compromised versions of the axios npm package, introducing a hidden dependency that deploys a cross-platform Remote Access Trojan (RAT). This specifically impacted users of @usebruno/cli who installed packages within a specific timeframe.

How to fix CVE-2026-34841 in Axios

Patch immediately

1.Update the axios package to a safe version.

Update Axios

npm update axios

Verify with:

verify

npm list axios

Workaround: There is no specific workaround beyond patching. Ensure all systems are patched as quickly as possible.

NextGuard automatically flags CVE-2026-34841 if Axios appears in any of your monitored projects — no manual lookup required.

Stay ahead of Node.js vulnerabilities

Proactively identify and address vulnerabilities in your Node.js projects with automated dependency scanning. monitor your nodejs dependencies to ensure your applications remain secure.

Compare Your Dependencies

Frequently asked questions

This Axios supply chain attack highlights the importance of robust dependency management and proactive vulnerability monitoring. Regularly update your dependencies and consider using automated tools to identify and address potential risks. see all nodejs vulnerabilities.