Axios Hijack Post-Mortem: How to Audit, Pin, and Automate a Defense

On March 31, 2026, the axios npm package was compromised via a hijacked maintainer account. Two versions, 1.14.1 and 0.30.4, were weaponised with a malicious phantom dependency called plain-crypto-js. It functions as a Remote Access Trojan (RAT) that executes during the postinstall phase and silently exfiltrates environment variables: AWS keys, GitHub tokens, database credentials, and anything present in your .env at install time. The attack window was approximately 3 hours (00:21 to 03:29 UTC) before the packages were unpublished. A single CI run during that window is sufficient exposure. This post documents the forensic audit and remediation steps performed on a Next.js production stack immediately after the incident. Why This Happened: The SemVer Caret Problem Most projects define axios like this: "axios": "^1.7.9" The caret (^) permits any compatible minor or patch release. It means npm install can silently resolve to a newly published 1.14.1 if it satisfies the range. No prompt, n