In late March 2026, compromised axios builds briefly appeared on the npm registry (for example 1.14.1 and 0.30.4 on affected release lines). Attackers added a malicious dependency and used lifecycle scripts so a npm install could pull down far more than an HTTP client — a pattern we have seen before in registry incidents, not a bug in axios’ normal code.
The bad versions were taken down quickly, but any machine or CI job that installed them in that window should be treated as potentially affected: rotate secrets where relevant, check install logs and lockfiles, and pin to known-good versions (axios at or below 1.14.0 / 0.30.3 on those lines, per vendor and security advisories).
A small npm setting that helps with “brand new” malware
npm (recent CLI versions) supports min-release-age: installs only dependency versions that have been published at least N days ago. That does not stop every attack, but it cuts exposure to hijacks where the malicious tarball exists only for hours before npm removes it.
npm config set min-release-age 3
Here 3 means three days (see npm config: min-release-age). You can also pass it per command: npm install --min-release-age=3.
Trade-offs: you need a recent npm CLI (this landed in the v11 line; run npm -v and check the config docs for your version). Installs can fail if no published version is “old enough.” It is one layer among many — lockfiles, pinning, and reviewing postinstall still matter — but for “hot” malicious publishes, a few days’ delay helps.