npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

axios-malware-shield

v1.0.2

Published

Protects against malicious Axios supply-chain attacks.

Downloads

32

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

karapikarapi

Keywords

securityaxiosmalwareshield

Readme

🛡️ axios-malware-shield

npm version License: MIT

A zero-dependency, open-source CLI tool to protect your Node.js projects from the Axios supply-chain malware attack (specifically malicious versions 1.14.1 and 0.30.4 which execute the plain-crypto-js payload).

This tool provides both an active alarm system to block malicious installations and an instant cure to permanently patch your project dependencies.

🚨 The Threat

Recently, malicious actors published compromised versions of the popular axios package (e.g., 1.14.1, 0.30.4). These versions contain a post-install script that downloads and executes a malicious payload known as plain-crypto-js.

If your project uses ^ or ~ in its package.json for Axios, or if a deeply nested dependency relies on a compromised version, your CI/CD pipelines and developer machines are at risk.

🛠️ How It Works

axios-malware-shield offers two layers of defense:

  1. The Scanner (--check): Scans package.json and package-lock.json for known malicious Axios versions (1.14.1, 0.30.4) and the malware payload package itself (plain-crypto-js). If found, it instantly aborts the installation process before the malware can be downloaded or executed.
  2. The Patcher (--force-overrides):
    • Remediation: Checks for and automatically deletes the malicious node_modules/plain-crypto-js directory if it exists.
    • Immunization: Safely modifies package.json to inject native package manager protections (overrides for NPM, resolutions for Yarn). This forces your entire dependency tree to resolve to the last known safe version of Axios (1.14.0), permanently neutralizing the threat.

[!IMPORTANT] Why 1.14.0? Currently, "latest" versions on the registry are the malicious ones. No safe "higher" version (e.g., 1.14.2) has been verified yet. Pinning to 1.14.0 is the only way to ensure 100% safety until the Axios maintainers reclaim their accounts.

🚀 Usage

You can use this tool in two ways, depending on your needs.

Method 1: The Instant Cure (Recommended)

If you just want to immunize your project right now without installing any new permanent dependencies, run this command via npx at the root of your project:

npx axios-malware-shield --force-overrides

What this does: It injects the following block into your package.json:

{
  "overrides": {
    "axios": "1.14.0"
  },
  "resolutions": {
    "axios": "1.14.0"
  }
}

After running the command, simply run npm install or yarn install. Your package manager will forcefully downgrade all instances of Axios to the safe version, bypassing the malware completely.

Method 2: The Active Alarm (Continuous Protection)

If you want to ensure that no developer or CI pipeline accidentally introduces the malware in the future, you can hook the shield into your NPM lifecycle.

1. Install as a dev dependency:

npm install --save-dev axios-malware-shield

2. Add the preinstall hook to your package.json:

{
  "scripts": {
    "preinstall": "axios-malware-shield --check"
  }
}

What this does: Every time someone runs npm install, the shield will scan the lockfiles and dependencies first. If it detects 1.14.1 or 0.30.4, it terminates the process with an error code (Exit 1), stopping the malware dead in its tracks.

🧪 Verifiably Safe

We take security seriously. This tool is continuously tested in fully isolated GitHub Actions environments. Our CI pipeline actively tests multiple scenarios to ensure robust defense mechanisms against the supply chain attack.

Testing Procedures

Our automated integration test suite explicitly verifies the following cases:

  1. Test Malware Override: Evaluates the --force-overrides patcher by simulating a project utilizing malicious Axios version 1.14.1. The test verifies that running the tool injects the overrides correctly, and running npm install subsequently safely downgrades the version to 1.14.0 and prevents the plain-crypto-js payload from ever executing.
  2. Test Malware Pre-install Block: Simulates blocking mechanics where --check is set in the preinstall hook. The test guarantees that an inadvertent npm install of compromised axios stops immediately and terminates with an exit code 1.
  3. Test Direct Malware Checks: Explicitly ensures that the payload malware plain-crypto-js cannot be snuck in via other dependencies. Simulates installations attempting to directly install plain-crypto-js to verify our scanner and pre-install shield actively detects and blocks it.

Testing Workflow Diagram

graph TD
    A[GitHub Actions CI Pipeline] --> B(Patcher Verification)
    A --> C(Scanner / Block Verification)

    subgraph "Patcher Tests"
        B --> B1[Setup environment & add malicious axios]
        B1 --> B2[Run axios-shield --force-overrides]
        B2 --> B3[Run npm install]
        B3 --> B4{Verify secure Axios v1.14.0 is installed <br> & plain-crypto-js is missing}
        B4 -->|Success| B5(Pass)
    end

    subgraph "Scanner Tests"
        C --> C1[Test: Block malicious axios via preinstall]
        C --> C2[Test: Block plain-crypto-js via preinstall]
        C --> C3[Test: Detect plain-crypto-js in dependencies]
        
        C1 --> C1a{Verify installation aborted}
        C2 --> C2a{Verify installation aborted}
        C3 --> C3a{Verify CLI detects malware}

        C1a -->|Success| C4(Pass)
        C2a -->|Success| C4
        C3a -->|Success| C4
    end

📝 License

MIT License. See LICENSE for more information.

Stay safe, verify your dependencies, and protect your pipelines.