axios
修复版本
3.2.2
CVE-2026-34841 represents a critical supply chain attack affecting Axios, a popular JavaScript library for making HTTP requests. This vulnerability involves compromised versions of the Axios npm package, which introduced a hidden dependency responsible for deploying a cross-platform Remote Access Trojan (RAT). The issue impacts Axios versions from 0.0.0 up to, but not including, 3.2.1, and primarily affected users who installed the package during a specific timeframe on March 31, 2026.
The primary impact of CVE-2026-34841 is the potential for unauthorized remote access and control over affected systems. The RAT deployed through the compromised Axios package allows an attacker to execute arbitrary commands, steal sensitive data (including API keys, credentials, and source code), and potentially establish persistent backdoors. The attack vector is particularly concerning because it leverages the trust inherent in the npm package ecosystem, making it difficult for developers to detect malicious code. This attack mirrors the complexity seen in other supply chain attacks, highlighting the need for robust dependency management and security scanning practices. The blast radius extends to any application relying on the compromised Axios versions, potentially impacting a wide range of services and data.
This vulnerability was publicly disclosed on April 6, 2026. The short timeframe between the compromise and the disclosure suggests a rapid response from security researchers. While no confirmed exploitation reports are publicly available as of this writing, the presence of a RAT significantly increases the likelihood of active exploitation. The incident has been added to the CISA KEV catalog, indicating a high probability of exploitation. Public proof-of-concept code is expected to emerge, further increasing the risk.
Developers and organizations using Axios in their Node.js applications are at risk, particularly those who rely on npm for package management. Shared hosting environments and applications with automated dependency updates are especially vulnerable, as they may have been automatically updated with the compromised package. Projects using older versions of Axios or those with lax dependency management practices are also at higher risk.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -match 'node'}• nodejs / supply-chain:
Get-ChildItem -Path Env:PATH -Recurse -Filter 'node_modules'• nodejs / supply-chain:
npm ls axios --depth=0• generic web: Check for unusual network connections originating from Node.js processes using netstat -ano | findstr :<suspicious_port>.
Compromise Window
Public Disclosure
KEV Listing
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2026-34841 is to upgrade Axios to version 3.2.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider temporarily isolating affected applications and implementing stricter network controls to limit potential damage. Review all dependencies and consider using tools like npm audit or yarn audit to identify and address other potential vulnerabilities. Implement stricter dependency pinning to prevent unexpected updates from malicious sources. Consider using a Software Bill of Materials (SBOM) to gain better visibility into your application's dependencies and potential risks.
Actualice el paquete axios a la versión 1.4.1 o superior para mitigar el riesgo de un ataque de la cadena de suministro que introduce un troyano de acceso remoto entre plataformas. Verifique las dependencias de sus proyectos para asegurarse de que no haya versiones vulnerables de axios. Considere utilizar herramientas de análisis de seguridad de la cadena de suministro para detectar y prevenir futuros ataques.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34841 is a critical vulnerability where compromised Axios npm packages deployed a cross-platform Remote Access Trojan (RAT), allowing attackers to gain unauthorized access to systems.
You are affected if you use Axios versions 0.0.0–<3.2.1 and ran npm install between March 31, 2026, 00:21 UTC and ~03:30 UTC. Check your dependencies immediately.
Upgrade Axios to version 3.2.1 or later. If immediate upgrade is not possible, isolate affected applications and implement stricter network controls.
While no confirmed exploitation reports are public, the presence of a RAT suggests a high likelihood of active exploitation. Monitor your systems closely.
Refer to the npm security advisory and related security blogs for updates and further information: [https://www.npmjs.com/advisories/1774](https://www.npmjs.com/advisories/1774)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。