How AI‑Assisted Social Engineering Compromised the Popular Axios Module

Background

A GitHub issue (https://github.com/axios/axios/issues/10636) reported a supply‑chain compromise of the widely used JavaScript HTTP client Axios . The incident is classified as an AI‑assisted social‑engineering attack.

Attack Flow

Identity spoofing : The attacker created a fictitious persona claiming to be the founder of a legitimate company.

Fabricated collaboration environment : Using AI‑generated assets, the attacker built a fake Slack workspace that replicated the target company’s branding, channel structure, and even fabricated LinkedIn posts and team‑member profiles.

Credibility through video conference : A Microsoft Teams meeting was scheduled, with multiple participants (real or simulated) to increase perceived legitimacy.

Malicious component delivery : During the meeting the attacker claimed the maintainer’s development environment was outdated and urged the installation of a “missing component”. The provided installer was a trojan that, once executed, obtained full administrative control of the maintainer’s workstation.

Bypassing two‑factor authentication : With system control, the trojan extracted the maintainer’s npm and GitHub authentication tokens, disabled or circumvented 2FA, and executed a npm publish command from the compromised machine, publishing a malicious package under the axios namespace.

Technical Details

The malicious package was signed with the same npm name as the legitimate library, allowing downstream projects that depended on axios to automatically download the compromised version. The attack leveraged the fact that npm does not enforce strict provenance checks for newly published versions when the maintainer’s credentials are compromised.

# Example of the malicious publish command executed by the trojan
npm publish --access public

Implications

This case demonstrates how AI tools can automate the creation of convincing social‑engineering artifacts (Slack workspaces, LinkedIn posts, meeting invites) and how a single compromised maintainer account can affect the entire supply chain of a popular open‑source library.

Mitigation Recommendations

Verify any unsolicited invitation to private communication platforms through an independent channel (e.g., official email or known corporate contacts).

Require multi‑factor authentication that is resistant to token extraction, such as hardware security keys (U2F/FIDO2).

Implement a zero‑trust policy for code contributions: review all changes, enforce signed commits, and require additional reviewer approval for new contributors.

Enable npm’s --provenance flag and use package signing services to validate the origin of published packages.

Monitor npm registry activity for unexpected version bumps of critical dependencies and set up alerts for publishing events from newly created or rarely used accounts.