The Axios JavaScript library — used by an estimated 300 million projects weekly for making web requests — was compromised in a supply chain attack discovered on 31 March. Attackers hijacked the npm account of a core maintainer and published two malicious versions (1.14.1 and 0.30.4) that installed a cross-platform remote access trojan, as reported by iTnews. The malicious packages were live for several hours before being pulled.

For not-for-profits running web-based donation portals, volunteer management systems, or CRM platforms, this matters. Axios is one of the most common building blocks in modern web applications — your developers or platform providers almost certainly use it somewhere. The trojan was designed to harvest credentials and provide persistent remote access to compromised machines across Windows, macOS, and Linux. If your web infrastructure pulled the wrong version during that window, attackers could have a foothold in your systems right now.

The immediate action is straightforward: ask your web developer or platform provider whether your systems use Axios, and if so, confirm they’re running version 1.14.0 or 0.30.3 (the safe versions). If either malicious version was installed, treat it as a potential compromise — check logs for connections to the known command-and-control domain (sfrclak.com) and look for suspicious files on your servers. More broadly, this is a good reminder to ask your IT provider about software supply chain monitoring. Attacks like this are becoming more common, and most organisations have zero visibility into what open-source packages their web apps depend on.

If you’re unsure whether your organisation’s web platforms are exposed, All IT Services can help assess your risk and put monitoring in place to catch these kinds of threats early.