Axios RAT (v1.14.1 / v0.30.4) March 31 Supply-Chain Window
- Entity ID:
ent-20260419-e4f5a0b1c2d5 - Type:
issue - Scope:
shared - Status:
active - Aliases: axios RAT, axios 1.14.1 malicious, axios 0.30.4 malicious, march-31-axios-rat
Description
Two malicious axios package versions (v1.14.1 and v0.30.4) published to npm at 00:21 UTC on March 31, 2026 with an embedded Remote Access Trojan targeting credential exfiltration. Removed from npm at 03:49 UTC (~88-minute exposure window). Independently of the Claude Code source-map leak, developers who npm installed or updated ANYTHING pulling axios between 00:21 and 03:49 UTC received the RAT. Claude Code v2.1.88 shipped ~04:00 UTC, so developers updating Claude Code in that same window were exposed to BOTH events simultaneously — two completely unrelated supply chain incidents in one 88-minute sliver. Security teams that responded to one often missed the other. Recommended response: rotate credentials AND independently audit dependencies, because the axios RAT is active credential-stealing while the source-map leak is passive read-only exposure.
Key claims
- Two unrelated supply-chain events overlapped in an 88-minute window on March 31
Relations
- Axios RAT (v1.14.1 / v0.30.4) March 31 Supply-Chain Window --[related_to]--> TeamPCP Supply Chain Campaign