Axios NPM Supply Chain Compromise¶
Version: 1.0
Published: April 3, 2026
Last Updated: April 3, 2026
WSO2 impacted: Yes
Evidence of compromise: No
Customers impacted: No (Unless potential exposure conditions are met)
Customer actions required: No (Unless potential exposure conditions are met)
Reported Incident¶
On March 30, 2026, a security incident was reported involving malicious versions of the Axios HTTP client library: specifically, [email protected] and [email protected]. These versions were published to npm through a compromised maintainer account and included a hidden dependency, [email protected]. This dependency executes a post-installation script that served as a cross-platform remote-access trojan dropper for macOS, Windows, and Linux. The malicious packages were modified to exfiltrate sensitive information, including authentication tokens and configuration details from developer environments and pipelines.
Impact on WSO2 Products and Deployments¶
Following the reported incident, the WSO2 Security Team immediately collaborated with the engineering teams to review the Axios versions used across WSO2 products and services. In addition, developer machines, build environments, and WSO2-managed deployments were examined for indicators of compromise, and no evidence of impact was found.
WSO2 official product release artifacts rely on pinned dependencies defined in the package-lock.json file. Our assessment confirmed that these artifacts did not resolve to any of the malicious Axios versions associated with the incident.
Potential Exposure Conditions¶
Exposure may be possible only in cases where deployments were modified from the official release baseline. This includes scenarios in which:
- a semantic versioning range, such as ^0.30.0, was specified in the package.json file instead of an exact version, and npm install was executed; or
- npm update was executed during the incident window between March 31, 2026, 00:21 UTC and 03:15 UTC.
In such cases, a malicious version may have been resolved unintentionally.
Recommended Action¶
For customized deployments, WSO2 recommends pinning the Axios version in package.json to the exact version recorded in the corresponding package-lock.json file. This helps prevent unintended resolution to compromised versions.
Conclusion¶
Based on this analysis, WSO2 products and services deployed using unmodified official release artifacts are not affected by this supply chain attack. Customers using unmodified official release artifacts are likewise not impacted.