Source: Security.NL
A widely used software library has been compromised after attackers tricked its main developer into installing malicious software. According to Security.NL, the primary maintainer of the Axios npm library fell victim to a so-called ClickFix social engineering attack, which allowed attackers to publish harmful versions of the library containing a remote access trojan (RAT).
According to Security.NL, attackers impersonated a company founder by cloning real profile data and contact details. They then invited the Axios maintainer into a convincing fake Slack workspace, complete with fabricated LinkedIn links and what appear to have been fake profiles of other open source developers.
From there, the attackers arranged a Microsoft Teams meeting. During that meeting, the maintainer was shown a prompt claiming that software on his system was outdated and needed to be installed. He followed the instruction. The software was not an update. It was a remote access trojan.
Once installed, the RAT gave attackers access to the maintainer's system. According to Security.NL, they were then able to steal session cookies, tokens and other credentials. The attackers used this access to publish malicious versions of the Axios library.
Axios is an HTTP client library used by applications to handle web requests from browsers and Node.js environments. According to Security.NL, the library receives more than one hundred million weekly downloads on npmjs.com. That scale means a compromised version can reach a very large number of systems quickly.
It is not stated how many users downloaded the malicious versions, how long those versions were available, or whether any downstream users were confirmed to have been affected by the RAT.
This type of attack, where criminals build a convincing fake identity and workspace to earn someone's trust before delivering malware, is a reminder that threats do not always arrive through obvious routes like phishing emails. A professional-looking Slack workspace and a Teams meeting can be enough.
If your website or web application uses third-party software libraries, even well-known ones, it is worth knowing where those libraries come from and whether your developer or hosting provider monitors for compromised dependencies. You do not need to understand the technical details yourself, but asking your developer "do we check for security issues in the libraries we use?" is a reasonable question. For a broader overview of steps you can take, see our security checklist for small businesses and our guide on vulnerable plugins.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkLet's Encrypt stopped issuing certificates for over two hours on the evening of 8 May 2026 due to an incident involving non-compliance with CCADB Policy rules.
The NCSC-NL advisory page for NCSC-2026-0152 returned only a redirect message with no substantive content.
Microsoft released security updates on Patch Tuesday May 2026 addressing over 130 vulnerabilities, including a critical wormable flaw in Windows Netlogon (CVE-2026-41089) enabling unauthenticated…