Axios npm Supply Chain Attack: Incident Analysis & Response Guide#

Publication Date: March 31, 2026
Incident Date: March 31, 2026 (00:21–03:29 UTC)
Severity Level: Critical

Executive Summary#

What This Means#

The Incident#

On March 31, 2026, the Axios JavaScript library—one of the most widely used HTTP request packages in the world—was compromised through an attacker gaining unauthorized access to the npm account of a core maintainer. Two malicious versions (1.14.1 and 0.30.4) were published with hidden code designed to install and execute a remote access tool (RAT) on affected systems. These versions remained live for approximately 2 hours before being detected and removed.

What Was Compromised#

The attack injected malicious code into Axios that automatically installed a hidden dependency named “plain-crypto-js v4.2.1.” This dependency contained a cross-platform backdoor capable of full system access on Windows, macOS, and Linux environments. The payload was designed to avoid detection by running silently and establishing persistent command-and-control communication.

Scale of Exposure#

Axios receives approximately 100 million downloads per week and is present in roughly 80% of cloud infrastructure and development environments globally. However, the actual execution rate was significantly lower than the total exposure: approximately 3% of environments that installed the malicious versions actually executed the malicious code. This lower execution rate results from the dependency being triggered only during specific application initialization sequences and the relatively brief window the malicious versions were available before removal.

What You Need to Do Immediately#

• Audit immediately: Identify all systems and applications using Axios versions 1.14.1 or 0.30.4. Check deployment logs, dependency manifests, and container registries for these specific versions.
• Update urgently: Upgrade to patched versions (1.14.2+ or 0.30.5+) across all development, staging, and production environments. Prioritize systems that may have executed code between the compromise window.
• Investigate exposures: For any systems running the malicious versions, check system logs for unexpected network connections, new processes, or suspicious activity during the incident window.
• Review access controls: Review recent account access logs for compromised systems and change credentials for critical accounts, particularly cloud infrastructure and deployment systems.
• Communicate with customers: If your organization distributes applications using affected versions, notify customers and provide clear upgrade guidance immediately.

Timeline#

• March 31, 2026 (Attack): Malicious versions published to npm
• March 31, 2026 (2-3 hours later): Versions detected and removed; incident publicly disclosed
• Current status: Community efforts underway to identify and remediate affected deployments

Business Risk#

Organizations with unpatched systems face direct risk of data breach, system compromise, and potential ransomware deployment. The backdoor nature of the payload means attackers gained near-complete system access in affected environments. Secondary risks include supply chain contamination—any applications compiled from compromised code may carry the threat forward to customers.

Bottom Line#

Treat this as a critical security incident requiring immediate action on patching and forensics. While the brief availability window limited exposure, any organization using Axios should assume potential compromise and verify system security within the next 24-48 hours.

Attack Summary#

What Was Compromised#

The attack targeted the npm (Node Package Manager) account of Jason Saayman, a core maintainer of the Axios library. Using compromised credentials, the attacker published two malicious versions: Axios 1.14.1 and 0.30.4 to the official npm registry. Rather than modifying Axios’s core code directly, the attacker took a more sophisticated approach by injecting a dependency named “plain-crypto-js v4.2.1” into the package manifest. When users installed these Axios versions, they unknowingly also installed this hidden dependency. The malicious package contained a cross-platform remote access tool (RAT) capable of full system compromise on Windows, macOS, and Linux environments, along with code to establish persistent command-and-control communication.

How It Worked: Attack Chain#

Step 1: Account Compromise. The attack began with unauthorized access to the npm account of Axios’s lead maintainer. The specific compromise method (credential theft, session hijacking, or social engineering) was not publicly disclosed, but this single account controlled publishing permissions for the widely-trusted Axios package.

Step 2: Malicious Dependency Injection. Rather than modifying Axios directly, the attacker introduced a hidden dependency called “plain-crypto-js”—intentionally mimicking the legitimate “crypto-js” package name to avoid detection. This fake version (4.2.1) contained obfuscated malicious code designed to execute automatically.

Step 3: Automatic Execution. When developers installed Axios 1.14.1 or 0.30.4, npm’s package manager automatically triggered the “postinstall” script embedded in the fake “plain-crypto-js” package. This script runs with the same privileges as the user performing the installation—typically a developer’s account, a deployment system, or a CI/CD pipeline runner. The user never explicitly approved or saw this code execute.

Step 4: RAT Deployment. The postinstall script downloaded and executed a platform-specific payload: a remote access trojan customized for the detected operating system. This RAT established an encrypted connection to a command-and-control server, enabling the attacker to execute arbitrary commands, exfiltrate data, install persistent backdoors, or pivot to other systems.

Step 5: Rapid Distribution. Axios receives approximately 100 million downloads per week globally. The malicious versions were published to npm and propagated to dependency mirrors within minutes, potentially reaching hundreds of thousands of development environments and automated systems within the 2-3 hour window before detection.

Discovery & Removal#

Multiple security firms—including Snyk, Wiz, and StepSecurity—detected suspicious activity in Axios’s published versions through automated vulnerability scanning within approximately 2-3 hours of publication. The anomalies flagged: an unexpected new dependency (“plain-crypto-js”), obfuscated code patterns, and network communication to unknown command-and-control servers. npm’s security team was notified and rapidly unpublished versions 1.14.1 and 0.30.4 from the registry. The Axios maintainers secured the compromised npm account, audited the package history, and released patched versions 1.14.2 and 0.30.5 within hours of the incident.

Why This Matters#

This attack reveals critical vulnerabilities in the open-source trust model. Axios is a fundamental dependency trusted by companies, governments, and security-critical systems. A single compromised account cascaded across hundreds of thousands of installations instantly. The malicious code executed automatically during package installation without user approval or visibility—developers never saw a warning or prompt. Most critically, the attack demonstrates that even widely-audited, well-maintained projects can become vectors for supply chain compromise. The brief window between attack and detection (2-3 hours) highlights how difficult it is to prevent malicious code from reaching production systems at scale, even with vigilant security teams monitoring the ecosystem.

Detection & IOCs#

Security teams investigating potential Axios compromise require precise indicators of compromise (IOCs), detection queries, and log sources for hunting. This section provides actionable intelligence for threat hunters, incident responders, and security operations centers (SOCs) to identify infected systems and track the attack across their infrastructure.

Indicators of Compromise#

Indicators of Compromise (IOCs) are forensic artifacts—file hashes, domains, IP addresses, registry keys, file paths, and process signatures—that definitively prove the presence of the Axios malware on a system. IOCs should be ingested into SIEM platforms, endpoint detection and response (EDR) tools, and threat intelligence feeds immediately. When any IOC matches against your environment, initiate incident response procedures.

Table 1: Package Hashes and File Identifiers#

Table 2: C2 Infrastructure IOCs#

Table 3: Behavioral and Process IOCs#

Behavioral Indicators#

Beyond static IOCs, behavioral indicators reveal the attack signature—how the malware executes, communicates, and persists. These patterns are critical for detection in zero-day scenarios where file hashes are unknown.

Process Execution Chains. The Axios attack follows a distinct parent-to-child process pattern. On all platforms, npm install (parent) spawns a node process (parent) which immediately executes the postinstall script setup.js. This script then spawns platform-specific child processes:

Windows:
npm.exe (parent)
├── node.exe (parent)
│   ├── curl.exe (child) → downloads payload from sfrclak.com:8000
│   ├── cscript.exe (child) → executes VBScript persistence
│   └── powershell.exe (child) → modifies registry/filesystem

macOS/Linux:
npm (parent)
├── node (parent)
│   ├── curl (child) → downloads payload from sfrclak.com:8000
│   ├── osascript (child, macOS) → executes AppleScript for persistence
│   ├── python3 (child) → executes /tmp/ld.py payload
│   └── bash (child) → modifies ~/.bashrc or cron entries

Any occurrence of npm/node spawning curl, osascript, cscript, or python3 during package installation warrants immediate investigation.

Network Behavioral Patterns. Infected systems exhibit three distinctive network patterns:

1. Initial C2 Handshake (0-5 seconds post-installation): Single HTTP POST request to sfrclak.com:8000/6202033 containing platform identifier (product0/1/2) and basic system info.

2. Periodic Beaconing (established persistence): Regular HTTP POST requests to sfrclak.com:8000 every 60 seconds, regardless of user activity. This 60-second interval is characteristic and easier to detect than random intervals.

3. Payload Download (command execution): Sudden HTTP GET requests from sfrclak.com:8000 to infected host delivering encrypted second-stage payload, typically 100-500 KB in size.

Monitor for outbound HTTP POST traffic to 142.11.206.73:8000 originating from npm/node processes—this pattern should never occur legitimately.

File System Behavioral Patterns. The malware’s file system behavior reveals intent:

1. Rapid Deployment (0-2 seconds): setup.js downloads second-stage payload to platform-specific path and executes immediately.
2. Anti-Forensics (2-5 seconds): setup.js self-deletes, /tmp/ld.py auto-removes after execution, package.json reverts to clean state.
3. Persistence Establishment (5-30 seconds): RAT modifies startup configurations—Windows registry Run keys, macOS LaunchAgents, Linux cron/systemd entries.

Look for rapid file creation followed by rapid deletion in /tmp, %PROGRAMDATA%, and /Library/Caches directories.

Detection Queries#

Splunk SPL Queries#

Query 1: Malicious Axios Installation

index=main sourcetype="npm:install" OR sourcetype="npm:lockfile"
| search (package_name="axios" AND (package_version="1.14.1" OR package_version="0.30.4"))
  AND (dependencies="plain-crypto-js@4.2.1")
| alert threshold=1 severity=critical

Query 2: Postinstall Script Execution

index=main sourcetype="process_execution" OR sourcetype="sysmon:ProcessCreate"
| search (parent_process IN ["npm", "node"]) AND (working_directory CONTAINS "node_modules")
  AND (child_process IN ["curl", "osascript", "cscript", "python", "bash"])
| alert threshold=1 severity=critical

Query 3: C2 Communication

index=network sourcetype="http:logs" OR sourcetype="firewall"
| search ((src_process IN ["npm", "node"]) AND (dest_ip="142.11.206.73" OR dest_domain="sfrclak.com") AND dest_port=8000)
| alert threshold=1 severity=critical

Query 4: RAT Artifacts

index=main sourcetype="file_operations" OR sourcetype="sysmon"
| search (file_path IN ["%PROGRAMDATA%\wt.exe", "/Library/Caches/com.apple.act.mond", "/tmp/ld.py"])
  AND (created_or_deleted_by IN ["npm", "node", "python", "curl"])
| alert threshold=1 severity=critical

Generic SIEM Detection Logic#

For non-Splunk SIEMs, implement these alert conditions:

Alert 1: axios@1.14.1 or axios@0.30.4 installed with plain-crypto-js@4.2.1 dependency → CRITICAL

Alert 2: npm/node parent spawning curl, osascript, cscript, python, bash from node_modules directory → CRITICAL

Alert 3: Outbound HTTP POST/GET from npm/node process to 142.11.206.73:8000 or sfrclak.com → CRITICAL

Alert 4: File creation/deletion of %PROGRAMDATA%\wt.exe, /Library/Caches/com.apple.act.mond, /tmp/ld.py by npm/node/python → CRITICAL

CLI Verification Commands#

Quick Checks:

npm list axios 2>/dev/null | grep -E "axios@(1\.14\.1|0\.30\.4)"
grep -r "plain-crypto-js" package-lock.json package.json 2>/dev/null
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null        # macOS
dir %PROGRAMDATA%\wt.exe 2>/dev/null                         # Windows
ls -la /tmp/ld.py 2>/dev/null                                # Linux
netstat -anop tcp 2>/dev/null | grep "142.11.206.73"        # C2 connections

Key Log Sources: npm audit logs, process execution logs (Sysmon, auditd), EDR logs, network logs (firewall, proxy), file integrity monitoring, CI/CD pipelines, git history. Hunt in this order: package-lock.json → process execution → C2 communication → file artifacts.

Remediation Procedures#

On March 31, 2026, malicious versions of Axios were distributed through npm. This section provides step-by-step operational procedures for immediate response, short-term mitigation, credential rotation, forensics, and verification. Follow these procedures in order; each action is marked as either MUST DO (critical for safety) or Strongly Recommended (important for completeness).

Immediate Actions (0-2 hours)#

1. Identify affected systems: Query all systems for axios@1.14.1 or axios@0.30.4 in package-lock.json and npm logs

npm list axios | grep -E "1\.14\.1|0\.30\.4"
grep -r "plain-crypto-js@4.2.1" package-lock.json

2. Halt CI/CD pipelines: Disable all npm-related builds and deployments immediately. Notify all teams of supply chain incident.

3. Isolate compromised endpoints: Block outbound traffic to 142.11.206.73:8000 and sfrclak.com at firewall. Snapshot affected systems for forensics.

4. Enable logging: Increase EDR/firewall logging verbosity. Start packet captures of suspicious traffic.

Short-Term Mitigation (2-24 hours)#

1. Upgrade Axios: Update package.json to axios@1.14.2+ or axios@0.30.5+. Run npm install and verify with npm list axios.

2. Verify integrity: Confirm plain-crypto-js is NOT in package-lock.json or node_modules. Clean npm cache: npm cache clean --force && rm -rf node_modules && npm install.

3. Hunt for execution: Search for RAT artifacts on disk and C2 connections in network logs:

grep -E "plain-crypto-js" package-lock.json          # Malicious dependency
ls /Library/Caches/com.apple.act.mond /tmp/ld.py     # RAT files
netstat -anop tcp | grep 142.11.206.73              # C2 beacons

4. Remove persistence: Check and delete any scheduled tasks, cron jobs, or startup scripts added by malware.

# macOS/Linux: Check cron
crontab -l | grep -E "ld.py|wt.exe|act.mond"

# Check Registry for Run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" |
  Where-Object {$_.PSObject.Properties.Name -notmatch "^PS"}

# Check scheduled tasks for suspicious entries
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "NT AUTHORITY\SYSTEM"}

Check LaunchDaemons (macOS), systemd services (Linux), and Scheduled Tasks (Windows) for malware persistence.

Credential Rotation#

Rotate all credentials immediately if RAT was executed:

• npm tokens: npm token revoke [TOKEN_ID]
• GitHub PATs: Delete and recreate in GitHub settings
• SSH keys and database credentials
• Cloud API keys (AWS, Azure, GCP)

Forensics & Recovery#

For systems with execution evidence, preserve:

# Memory dump
sudo dd if=/dev/mem of=/forensics/memory.dump bs=4096

# System artifacts
sudo tar czf /forensics/artifacts.tar.gz /var/log /etc/cron* 2>/dev/null
tar czf /forensics/browser_cache.tar.gz ~/.cache ~/.local 2>/dev/null

Step 2: Determine execution scope

• Review command history: history | tail -100
• Check for exfiltrated data: Monitor C2 domain for data posts in captured traffic
• Identify lateral movement: Search logs for privilege escalation attempts, network reconnaissance

Step 3: Cleanup and reimage decision

• If no RAT execution detected: Run cleanup steps above; no reimaging required
• If RAT execution confirmed: Full system reimaging recommended (RAT may have deeper persistence)
• If lateral movement detected: Isolate system; escalate to incident response team for full forensic investigation

Verification & Sign-Off#

MUST DO. Before declaring a system remediated, complete this checklist for each affected system.

Remediation Sign-Off Checklist#

• Version Updated: Verified axios@1.14.2 or 0.30.5 installed (not 1.14.1 or 0.30.4)
• Cache Cleaned: Ran npm cache clean –force and cache cleared on all package managers
• Malicious Package Removed: plain-crypto-js not found in node_modules or package-lock.json
• IOC Hunt Complete: No C2 connections to 142.11.206.73:8000 or sfrclak.com in logs
• Network Isolated: Firewall rules in place to block C2 infrastructure
• No Persistence Found: No suspicious startup scripts, cron jobs, or scheduled tasks
• Credentials Rotated: npm tokens and GitHub PATs revoked and recreated
• System Tested: Deployed application runs without errors; npm install completes successfully
• 24-Hour Monitoring: System has been monitored for 24 hours post-remediation with no C2 connections

Final verification command (run 24 hours after remediation):

# Confirm no C2 beaconing in past 24 hours
grep -E "142\.11\.206\.73.*8000|sfrclak\.com" /var/log/firewall.log | tail -20
# Expected: No output (or very old entries from incident window)

Remediation Procedures Complete. Once all steps are verified for a system, document completion in your incident management system and update incident status.

Lessons Learned & Prevention#

Root Causes#

Single point of failure: The compromise of jasonsaayman’s npm account (lack of mandatory 2FA, unlimited-scope tokens) gave attackers direct registry access. Unlike GitHub’s branch protections, npm’s token-based publishing has no compensating controls.

Blind CI/CD spot: Organizations secure GitHub repositories but bypass those controls when npm publishing occurs directly via leaked tokens. No cross-system validation ensures npm versions match GitHub releases.

Unrestricted postinstall execution: npm automatically executes postinstall scripts without user confirmation, visibility, or sandboxing. Developers cannot easily inspect scripts before execution.

No package verification: npm registry doesn’t cryptographically sign packages or publish transparency logs. Developers cannot verify that npm versions match source code repositories.

Prevention Strategies#

For npm Maintainers & Registries#

Security controls for high-impact packages:

• Enforce 2FA (hardware keys, not TOTP) for accounts maintaining packages >100K downloads
• Implement package-scoped tokens (limiting scope to specific packages only)
• Enforce quarterly token rotation and expiration
• Cryptographically sign packages; publish transparency logs of all publication events
• Gate postinstall scripts for packages >10M downloads (registry-side review)
• Stage version rollouts (1-2 hours limited distribution + automated scanning before “latest”)

For Organizations Using npm Packages#

Supply chain hardening:

• Pin versions in package-lock.json; commit to git; use npm ci in CI/CD for reproducibility
• Review package-lock.json changes in PRs before merging
• Generate and track SBOMs (SPDX format); detect unexpected dependency injection
• Validate package hashes against published values
• Establish approval workflows for dependency updates on critical systems
• Monitor postinstall script execution via EDR; alert on suspicious subprocess/network activity
• Scan packages before installation (VirusTotal, Snyk)

Detection & Organizational Controls:

• Identify unused dependencies in package.json (red flag for injection)
• Track suspicious version jumps; alert on unexpected updates after inactivity
• Implement SIEM queries for npm install from unusual locations or abnormal process spawning
• Conduct quarterly supply chain attack tabletop exercises
• Establish “critical dependencies” policy with maintainer security assessments
• Appoint supply chain security champion to track threat landscape

Appendix: References & Sources#

Official Advisories#

npm Security Advisory#

• npm Security Advisory: Axios — Official npm registry security notice documenting the compromised axios@1.14.1 and axios@0.30.4 versions with recommended mitigation steps and safe version recommendations.

GitHub Security Advisory#

• GitHub Security Advisory - axios/axios — GitHub’s official security advisory for the axios repository detailing the supply chain compromise incident and coordinated disclosure timeline.

CISA Alert#

• Note: As of March 31, 2026, no official CISA alert has been published. Organizations should monitor CISA’s ICS Alerts portal (https://www.cisa.gov/news-events) for potential sectoral guidance on Node.js supply chain risks related to this incident.

Security Research & Analysis#

Primary Research Sources#

The Hacker News - Initial Coverage

• Axios Supply Chain Attack Pushes Cross-Platform RAT — Comprehensive incident timeline and technical breakdown documenting the attack vector, malicious payload capabilities, and immediate remediation recommendations from leading security researchers.

Socradar - CISO Operational Guidance

• Axios npm Supply Chain Attack: 2026 CISO Guide — Executive-level incident analysis with risk assessment, blast radius estimation, and organizational response framework designed for security leaders managing enterprise npm environments.

StepSecurity - RAT Analysis & Capabilities

• Axios Compromised on npm: Malicious Versions Drop Remote Access Trojan — Deep technical analysis of the custom RAT payload, including obfuscation techniques, platform-specific variants, C2 communication patterns, and post-install script exploitation methodology.

Snyk - Supply Chain Attack Deep Dive

• Axios npm Package Compromised in Supply Chain Attack Delivers Cross-Platform RAT — Vulnerability analysis platform perspective covering dependency injection techniques, npm registry compromise mechanics, and remediation strategies for development teams.

Wiz - Cloud Security Implications

• Axios npm Compromised in Supply Chain Attack — Cloud-focused incident analysis examining the implications for containerized environments, CI/CD pipeline risks, and cloud workload protection strategies.

MITRE ATT&CK Framework Mappings#

Initial Access

• T1195.002: Supply Chain Compromise - Compromise Software Supply Chain — Attack vector: Compromised npm maintainer account and published malicious package versions to official npm registry, achieving direct distribution to thousands of organizations.

Persistence

• T1547.014: Boot or Logon Initialization Scripts - Postinstall Scripts — Malicious postinstall.js script executes automatically during npm install process, establishing initial persistence mechanism before RAT payload delivery.

Execution

• T1059.003: Command and Scripting Interpreter - JavaScript/Node.js — Postinstall script written in Node.js executes with package installation privileges; two-layer obfuscation (Base64 + XOR) evades script-level detection.

Defense Evasion

• T1027.001: Obfuscated Files or Information - Binary Padding — Custom two-layer encoding scheme (reversed Base64 + XOR cipher with key “OrDeR_7077”) obfuscates C2 addresses, commands, and communication patterns.
• T1027.010: Obfuscated Files or Information - Command Obfuscation — Platform detection and conditional payload execution hides OS-specific RAT variants from static analysis.
• T1036.001: Masquerading - Invalid Code Signing — Legitimate axios package signature masks malicious payload; plain-crypto-js@4.2.1 disguised as legitimate cryptographic dependency.

Credential Access

• T1589.001: Gather Victim Identity Information - Credentials — Long-lived classic npm access token obtained from compromised jasonsaayman account enables persistent publishing capability without local re-authentication.

Discovery

• T1082: System Information Discovery — RAT beacon includes system inventory transmission: OS type, architecture, processes, network configuration, user context.

Command and Control

• T1071.001: Application Layer Protocol - Web Protocols — RAT establishes HTTP beacon communication to sfrclak.com:8000 (142.11.206.73) every 60 seconds; obfuscated C2 command reception and response handling.
• T1071.004: Application Layer Protocol - DNS — Potential DNS resolution for C2 domain sfrclak.com prior to HTTP beacon establishment.

Exfiltration

• T1041: Exfiltration Over C2 Channel — RAT capability to exfiltrate system information, file contents, and reconnaissance data through obfuscated C2 channel back to attacker infrastructure.

Impact

• T1561.002: Disk Wipe - Targeted Data Destruction — RAT binary injection and process manipulation capabilities could enable targeted file/system destruction on compromised hosts.

External Resources#

Supply Chain Security Frameworks#

OWASP - Supply Chain Security

• OWASP: Supply Chain Security — Foundation-level guidance on supply chain attack vectors, threat models, and organizational controls for reducing exposure to compromised dependencies.

NIST - Supply Chain Risk Management

• NIST SP 800-53: SC-7 Boundary Protection and Supply Chain Risk Management — Federal framework for managing third-party software and supply chain security risks in organizational environments.

NIST - Secure Software Development Framework (SSDF)

• NIST SP 800-218: Secure Software Development Framework — Practices PO3.3 and PO3.4 specifically address dependency management and supply chain security controls.

npm Ecosystem Security#

npm Security Best Practices

• npm Documentation: Security Best Practices — Official npm guidance on account security, token management, 2FA enablement, and package verification strategies.

npm Token Management

• npm Documentation: Creating and Reading Access Tokens — Detailed documentation on npm access token types (classic vs granular), scoping, rotation procedures, and audit logging.

Document Version & Maintenance#

Document Version: 1.0
Date Compiled: March 31, 2026
Status: Complete