Yesterday a hacker compromised the account of the lead developer of axios> — the npm package with around 100 million weekly downloads — and published two malicious versions that included a remote access Trojan targeting macOS, Windows and Linux.

The malicious code was pulled from a staged dependency called "plain-crypto-js" and was designed to self-destruct after execution. It was only live for about three hours, but that was enough: security firm Huntress reported the first infection on a monitored endpoint just 89 seconds after the compromised version was published.

According to StepSecurity, the malicious dependency was staged 18 hours in advance, three payloads were pre-built for three operating systems, and both release branches were poisoned within 39 minutes of each other. Google's security team has linked the attack to a North Korean group that targets cryptocurrency theft.

This got me thinking: do we actually still need axios? The original reason it became so popular was that it gave you a clean, consistent API for making HTTP requests that worked the same way in the browser and in Node.js. But Node.js has had native fetch since version 18 and it's been stable for a while now. The browser has had it for years. So the problem axios originally solved is basically gone.

For my typical axios usage I wrote a simple fetch wrapper called fetchios that mirrors the axios API — same .get(), .post(), .create(), interceptors and all. It works as a drop-in module so I don't have to change the code everywhere, just copy the file in utils, swap the import and remove axios from my dependencies.

Every dependency you add is a potential attack surface — and this incident is a perfect reminder of that. Maybe it's time to stop running npm install axios by inertia and check what the platform already gives you.