Major Supply Chain Compromise in the Popular axios npm Package

On March 30, 2026 attackers published malicious axios releases ([email protected] and [email protected]) that introduced a dependency [email protected] which executes a postinstall dropper (setup.js) to fetch a cross-platform RAT; Google Threat Intelligence attributes the operation to UNC1069. The compromise was short-lived but high-risk given axios' widespread use; the report lists file hashes, C2 domains/IPs, and recommends scanning repos and CI logs, resetting credentials, and performing active threat hunting.