Axios Hijack Post-Mortem: How to Audit, Pin, and Automate a Defense

On March 31, 2026, the axios npm package was compromised via a hijacked maintainer account. Two versions, 1.14.1 and 0.30.4, were weaponised with a malicious phantom dependency called plain-crypto-js. It functions as a Remote Access Trojan (RAT) that executes during the postinstall phase and silently exfiltrates environment variables: AWS keys, GitHub tokens, database credentials, and anything present in your .env at install time. The attack window was approximately 3 hours (00:21 to 03:29 UTC)