On March 31, 2026, the JavaScript world woke up to a nightmare. For exactly two hours and fifty-four minutes, one of the most downloaded packages in history, axios, was serving a remote access trojan. If you ran npm install during that window, or if your CI/CD pipeline pulled the latest dependencies, you didn’t just get a HTTP client—ovi got a direct line for hackers into your infrastructure.
With over 100 million weekly downloads, axios is everywhere. It is in the apps on your phone, the dashboard you use at work, and the microservices running your backend. This wasn’t a sophisticated zero-day exploit in the code itself. It was a failure of a much simpler, more human element: a single, forgotten access token that was never changed.
How A Forgotten Token Became A Master Key
We often think of hackers as geniuses sitting in dark rooms bypasssing firewalls. In reality, they usually just look for the “spare key” left under the digital doormat. In this case, that key was a long-lived classic npm access token.
These tokens are the old school way of authenticating with the npm registry. Unlike modern granular tokens, these classic versions have no expiry date. They have full “publish” permissions for every package an account owns. Many developers generated these years ago for a quick automation script or an old CI/CD setup and then completely forgot they existed.
The attacker likely found this token in a leaked .npmrc file or a compromised developer machine from a previous, unrelated breach. Because the token never expires and doesn’t require two-factor authentication (2FA) when used via the command line, the hacker was able to log in as the maintainer and push malicious code directly to millions of users instantly.
The Forensic Fingerprint Of A Compromise
When our team analyzed the malicious [email protected] release, the red flags were everywhere, but only if you knew where to look. Legitimate axios releases are published through a verified GitHub Actions workflow using something called OIDC Trusted Publishing. This creates a cryptographic link between the code on GitHub and the package on npm.
The poisoned version had none of that. It was published directly from a “manual” CLI session.
The Email Change: The attacker changed the maintainer’s email to a Proton address just before publishing.
Missing Provenance: There was no “provenance” data, meaning there was no proof of where the code actually came from.
The Ghost Tag: There was no corresponding version tag on the official axios GitHub repository.
Pro Tip: You can check the metadata of any package by running
npm info [package-name]. If you see the “publishedBy” field change from a CI/CD tool to a manual “npm CLI” entry for a major library, treat it as highly suspicious.
How To Rotate Npm Tokens And Secure Your Account
If this story makes you feel a bit uneasy about your own accounts, that is a good thing. It’s time to perform some “digital hygiene.” Learning how to rotate npm tokens is the single most effective way to prevent your account from being the next “patient zero” in a supply chain attack.
Follow these steps immediately to audit your setup:
Audit your current keys: Run
npm token listin your terminal. Look for any token labeled as “Classic.”The Purge: If you see tokens you don’t recognize or classic tokens that have been sitting there for months, revoke them immediately using
npm token revoke [ID].Switch to Granular Tokens: When you create new tokens, set an expiration date (e.g., 30 or 90 days) and limit the scope to only the specific packages that need it.
Adopt OIDC: If you use GitHub Actions, move away from persistent tokens entirely. OIDC allows GitHub to talk to npm using short-lived, one-time credentials that disappear after the build is finished.
The Anatomy Of The “Self-Destructing” Malware
The malware itself was a masterclass in evasion. It didn’t just sit there; it tried to hide its tracks. It used a “postinstall” hook in a secondary package called plain-crypto-js. The moment you installed axios, this script ran in the background.
It performed a three-step “self-destruct” sequence:
It downloaded the actual virus (a Python RAT for Linux or an AppleScript for Mac).
It deleted its own malicious
package.jsonfile.It replaced it with a “clean” version that claimed to be an older, safe version.
This meant that if you ran a security scan after the installation, everything looked normal. The only way to know you were hit was to check your package-lock.json. If your lockfile said you installed version 4.2.1 but your node_modules folder claimed you had 4.2.0, you were compromised.
Building A Layered Defense For The Future
We cannot rely on a single tool to save us. To survive in 2026, you need a layered approach to security. This isn’t just about knowing how to rotate npm tokens, it’s about changing how we trust software.
Pin Your Versions: Stop using the “caret” (
^) in yourpackage.json. Instead of^1.14.0, which automatically pulls the “latest” (and potentially malicious) version, use an exact version like1.14.0.Ignore Scripts by Default: Use
npm install --ignore-scripts. This prevents those “postinstall” hooks from running automatically. You can then manually allow scripts for packages you truly trust.Verify Provenance: Use tools that check for SLSA provenance. According to OpenSSF security standards, verifying that a package was built in a secure environment is the only way to be 100% sure the code matches the source.
Final Steps For Peace Of Mind
If you think you might have been caught in the axios window, don’t panic, but act fast. Isolate the machine, rotate every single environment variable and API key that was stored on that system, and rebuild from a clean state.
Supply chain attacks are the new frontier of cyber warfare. They rely on our laziness and our tendency to set things and forget them. By taking ten minutes today to audit your tokens and lock down your CI/CD pipelines, you are making the entire ecosystem just a little bit safer for everyone.
