Detections
Analytics

Node.js Module axios 0.30.4 / 1.14.1 Supply Chain Vulnerability

critical Nessus Plugin ID 304406

Synopsis

A module in the Node.js JavaScript run-time environment is affected by a Supply Chain vulnerability.

Description

The version of the axios Node.js module installed on the remote host is 0.30.4 or 1.14.1. It is, therefore, affected by a supply chain vulnerability where a supply chain attack targeting the widely used HTTP client Axios has introduced a malicious dependency into specific npm releases, including [email protected] and [email protected].

The latest version pulls in [email protected], a package that Socket has confirmed as malicious. The malicious package deploys a multi-stage payload, including a remote access trojan (RAT) capable of executing arbitrary commands, exfiltrating system data, and persisting on infected machines.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Remove axios versions 1.14.1 and 0.30.4 from the affected system and update to the latest version of axios, which is not affected by this vulnerability.

See Also

http://www.nessus.org/u?8a9f889f

Plugin Details

Severity: Critical

ID: 304406

File Name: npm-axios-supply-chain-31-03.nasl

Version: 1.1

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 3/31/2026

Updated: 3/31/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: cpe:/a:axios:axios

Required KB Items: installed_sw/Node.js, Host/nodejs/modules/enumerated

Patch Publication Date: 3/31/2026

Vulnerability Publication Date: 3/31/2026