Tulin

A tiny piece of code called axios runs inside almost every app on your phone and every website you visit. Developers download it 100 million times a week. A few hours ago, someone poisoned it with malware that hands an attacker full control of your computer. If you’ve never heard of axios, that’s normal. It does one boring but important job: it lets apps talk to the internet. When a website pulls up your feed or an online checkout processes your card, axios is probably doing the work underneath. Over 173,000 other code packages plug into it. It’s everywhere. The attacker stole a lead developer’s login for npm (think of it as an app store, but for code that programmers use to build software). Once inside, they swapped the developer’s email to an anonymous ProtonMail account and uploaded the poisoned version by hand. That jumped past every security check the project normally runs before new code goes live. And this was not some rushed job. The attacker staged the malware at least 18 hours before pulling the trigger. They built separate versions for Windows, Mac, and Linux. They poisoned both the current version and an older one within 39 minutes of each other, casting the widest net possible. Once the malware ran on a machine, it deleted itself to cover its tracks. The trick was smart. They never touched a single line of code inside axios itself. Instead, they tucked in a fake add-on called plain-crypto-js, built to pass as a well-known, trusted library. It copied the real library’s description and author info, so nothing looked off at a glance. When a developer installed axios, this fake package quietly ran the malware on its own. When a smaller package called ua-parser-js got hijacked back in 2021 with about 8 million weekly downloads, the security world treated it like a four-alarm fire. Axios has 100 million. Over 12x the exposure, with 173,000+ packages depending on it. Socket, the security firm that flagged this, caught it in about 6 minutes. That’s fast. But 6 minutes is still plenty of time for automated systems at companies everywhere to pull and install the bad version before anyone can react. If you or your team runs axios: lock your version to 1.14.0 (or 0.30.3 for the older branch). Change every password, API key, and access token on any machine that installed the compromised update. And check your network logs for connections to sfrclak dot com or the IP address 142.11.206.73.