The Axios maintainers discovered that a malicious actor had compromised the NPM package during a routine publish. The attacker injected hidden code into the library’s distribution bundle that reads environment variables at runtime and sends them to an external server. The malicious payload was signed with a valid maintainer key, allowing it to bypass typical integrity checks and spread to any project that installed the compromised version.

Thousands of downstream applications—ranging from small web services to large enterprise platforms—unwittingly executed the back‑door, leaking credentials, API keys, and other sensitive configuration data. Defenders must treat even widely trusted dependencies as potential attack vectors, enforce strict SBOM and provenance verification, and monitor for anomalous outbound traffic from build and runtime environments to detect similar supply‑chain compromises early.