Not in axios’s source — a hijacked maintainer account pushed a phantom dependency that installed a cross‑platform RAT
On March 31, 2026, attackers used a hijacked npm maintainer account to publish poisoned axios releases that exercised npm’s install lifecycle, not by altering axios source code but by adding a phantom dependency (plain-crypto-js@4.2.1) whose postinstall hook deployed a cross‑platform remote access trojan (RAT). The publication used stolen long‑lived npm tokens to bypass GitHub Actions […]
