Meet the Top 101 in Crypto
Security
Complexity Icon Intermediate
6 min read

Malicious Axios npm Packages Trigger Supply Chain Attack: How Attackers Could Access Crypto Wallets and API Keys

Published 07 April 2026
Max Moeller
Authors

Key Takeaways

  • Malicious Axios releases briefly turned a trusted software install into a malware delivery path, putting developer machines and build systems at risk.
  • The biggest danger was the short “install window.” A system could pull the bad version during that window, then look clean later when the package was removed.
  • Crypto companies should care because compromised developer laptops can expose API keys, cloud secrets, wallet-related data, and other sensitive credentials.
  • Lockfiles helped some teams, but they did not protect every workflow, especially fresh installs, npx runs, global installs, and some CI jobs.

Axios, one of the world’s most widely used tools for sending data online, was recently caught in a node package manager (npm) supply chain attack. Malicious package versions were pushed to npm, so when developers installed or updated Axios to versions [email protected], or [email protected], they could also pull hidden malware onto their machines without realizing it.

While the attack is bad in its own right, the deeper lesson for crypto could prove more serious. During a short period on March 31, 2026, attackers slipped the malicious dependency called “plain-crypto-js” into a few Axios versions, and Google and Microsoft warned it could install a cross-platform remote access trojan on Windows, macOS, and Linux systems.

For crypto companies, this matters because a compromised developer laptop could be worth more than a stolen hot wallet. It may hold cloud credentials, API keys, signing tokens, wallet configurations, seed phrase backups, and more, all vulnerable to attack. Google also warned that the wider fallout from recent supply chain attacks could include software-as-a-service (SaaS) compromise, ransomware, extortion, and crypto theft.

New Trending Crypto Wallet Offers
Sponsored
Disclosure
Opened in 2018
Promotions
Trusted, Secure & Crypto Friendly
Coins
Bitcoin Ethereum Tether Wrapped BNB USD Coin +87
Opened in 2017
Promotions
Receive Up to $10 in BTC when you buy and activate a Tangem Wallet.
Coins
Bitcoin Ethereum Tether Wrapped BNB Solana +68
Show More

Time-Dependent Dependency Resolution: A Hidden Supply-Chain Risk

Unfortunately, the risk doesn’t stop at Axios being compromised. Socket’s follow-up denotes that the more difficult problem is time-dependent dependency resolution. Basically, this means the same install command could produce a safe result before the attack, a poisoned result during the attack, and a safe result after the malicious version was removed.

Think of an office vending machine. On most days, pressing B7 gives you a normal snack. But for three hours the B7 snack is swapped with something harmful, and hard to notice at a quick glance. After that period, the normal snack is back. Checking the machine after the fact, everything will look fine, but this does not help the people who got a snack during the bad window.

The Axios attack in detail.
Source: Socket.dev

According to Socket, teams checking their “node_modules” folder may only be seeing part of the issue. A system could have resolved the malicious version during the live window and executed it, yet a later reinstall could still produce a clean dependency tree because npm no longer serves the bad version. This makes the attack much harder to trace after the fact.

Why Crypto Teams are Exposed Without a Direct Axios Dependency

Now, note that this attack was bigger than Axios itself. During the attack window, everyday actions like fresh installs, npx commands, and global installs could still bring in the bad Axios version. Socket’s article provided examples in tools like Datadog CI, AWS Amplify CLI, Gatsby, Slack SDKs, and other widely used tools. These packages were not necessarily infected themselves, but their versions could still have pulled the poisoned Axios package during this short period. 

This matters to crypto startups because their software stack often mixes wallets, analytics, cloud services, payment rails, dashboards, bots, and internal tools. One engineer may run a quick CLI command that can become an entry point. In crypto, attackers do not need to break a blockchain when they can simply break the workstation that pushes to the chain.

As for that workstation, a compromised machine could give attackers access to an exchange’s API keys, wallet-related data, backup files, and far more. Attacks that control a trusted computer can search for anything useful left on it.

Why Common Safety Steps Were Not Enough

Now, some developers use lockfiles to keep their software installs consistent. A lockfile tells a computer the exact versions of software packages to install. Think of a package list as saying: “buy a loaf of bread.” The lockfile modifies the command to say, “buy this exact brand, size, and product number.”

Without a lockfile, your computer may install the newest allowed version of a package. With a lockfile, it installs the same version as before. According to Socket, though, lockfiles only work in this case if the project already has one, its workflow respects the lockfile, and that no new dependencies are created outside of it. The thing is, many workflows do not utilize lockfiles in this way.

But another important detail: an Axios maintainer later said the breach began with a social engineering attack. This means the attacker appears to have tricked a trusted person in order to gain access, making this a people story just as much as it is a software story. Attackers went after a person connected to a trusted part of the software pipeline.

Source: @flaviocopes

For crypto companies, this warning is extremely relevant. Strong smart contracts, good audits, and secure wallet protocols matter, but even these systems cannot protect against a compromised developer.

What Security Researchers Recommend

So what should teams do now?

Security researchers say teams should check for the affected Axios versions and for the malicious “plain-crypto-js” dependency. If these appear anywhere, one should treat the device as compromised, isolate it, and downgrade to safe versions.

After that, Microsoft recommends moving exposed secrets to a safe device, eliminating affected Axios files, and reinstalling a clean version of the tool. 

If you’re not a developer, but a crypto user, know that a blockchain can be secure but the tools around it may not be. The Axios compromise shows how one hidden software change can put API keys, wallet-related information, and valuable internal systems at risk without touching the chain itself. 

FAQs

Which Axios versions were affected?

Researchers identified [email protected] and [email protected] as the malicious releases tied to the attack.

What was plain-crypto-js?

It was a malicious dependency added to the bad Axios releases. Socket says it delivered a multi-stage payload that included a remote access trojan.

Could a team be exposed even if it did not directly depend on Axios?

Yes. Socket says fresh installs, npx runs, global installs, and tools with broad Axios version ranges could still resolve the malicious release during the attack window.

Why does this matter so much for crypto companies?

Because a compromised developer or CI machine may expose API keys, cloud credentials, signing tokens, or wallet-related data that attackers can use to move deeper into a crypto company’s systems. Google warned that recent attacks like this could lead to cryptocurrency theft.

Disclaimer: The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Max Moeller

Max Moeller is a Chicago‑based writer and video editor passionate about games, tech, and crypto. Whether it’s crafting clear, insightful articles or piecing together engaging video retrospectives, he’s driven by curiosity and takes pride in keeping things human. Since 2017, Max has been published in a variety of notable crypto magazines.

Contact Max: [email protected], reach out on LinkedIn or Youtube.

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status