The Axios supply chain attack that surfaced on March 31, 2026, has raised serious concerns across the JavaScript ecosystem, exposing how a compromised npm Account can be leveraged to distribute malware at scale. The incident involved poisoned releases of the widely used HTTP client library Axios, where attackers exploited a hijacked Axios maintainer account to silently introduce a cross-platform remote access trojan (RAT).
Security researchers have identified two malicious versions of Axios, 1.14.1 and 0.30.4, published to npm. These releases did not go through the project’s standard GitHub Actions CI/CD pipeline. Instead, they were manually pushed using stolen credentials from a trusted npm Account belonging to a core Axios maintainer.
The attacker altered the account’s registered email to a ProtonMail address and used the npm CLI to publish the compromised packages. This bypassed the cryptographic protection typically enforced by trusted publishing workflows, making the malicious releases appear legitimate at first glance.
Hidden Dependency and Malware Deployment
Notably, the malicious code was not embedded directly within Axios itself. Instead, the attacker injected a fake dependency: [email protected]. This package was never referenced in the Axios source code. Its sole purpose was to execute a post-install script that deployed a RAT.
Once installed, the dependency triggered a script (node setup.js) that contacted a live command-and-control (C2) server at http://sfrclak.com:8000/6202033. The malware then delivered platform-specific payloads targeting macOS, Windows, and Linux systems.
After execution, the malicious package removed traces of itself. It deleted its own package.json file and replaced it with a clean decoy version, effectively concealing evidence of compromise during post-installation inspection.
Timeline of the Axios Supply Chain Attack
The Axios supply chain attack was carefully staged over approximately 18 hours:
- March 30, 2026 – 05:57 UTC: A clean version of [email protected] was published to establish credibility.
- March 30, 2026 – 23:59 UTC: The malicious version 4.2.1 was released, introducing the RAT dropper.
- March 31, 2026 – 00:21 UTC: [email protected] was published using the compromised npm Account.
- March 31, 2026 – 01:00 UTC: [email protected] followed, targeting legacy users.
- ~03:15 UTC: Both malicious Axios versions were removed from npm.
- 03:25 UTC: npm placed a security hold on plain-crypto-js.
- 04:26 UTC: A security placeholder package replaced the malicious dependency.
The poisoned Axios versions remained available for nearly three hours, while the malicious dependency was live for over four hours.
How the Attack Worked
The attacker gained access to a primary Axios maintainer account and used it to publish new versions directly to npm. Unlike legitimate releases, which are tied to GitHub Actions using OIDC authentication, these malicious versions lacked any trusted publisher metadata or corresponding Git commits.
This discrepancy became a key forensic indicator. Legitimate releases showed automated publishing records, while the compromised versions appeared as manually uploaded artifacts.
Dependency Injection Strategy
The attacker inserted plain-crypto-js@^4.2.1 into Axios’s dependency list. This change was subtle; every other dependency remained identical to the previous clean versions.
Because npm automatically installs dependencies, the malicious package executed without requiring any direct interaction from developers. A simple npm install [email protected] was enough to trigger the attack.
A review of the Axios codebase confirmed that the injected dependency was never used, making it a “phantom dependency”, a strong indicator of tampering.
Cross-Platform RAT Behavior
The malware deployed different payloads depending on the operating system:
- macOS: Used AppleScript to download and execute a binary stored in /Library/Caches, disguised to resemble a legitimate system process.
- Windows: Leveraged VBScript and PowerShell to download and execute a RAT, while disguising persistence mechanisms as system binaries.
- Linux: Downloaded a Python script (/tmp/ld.py) and executed it in the background using nohup.
Each variant communicated with the same C2 server but used different identifiers to receive tailored payloads. The traffic was designed to resemble legitimate npm registry activity, helping it evade detection.
Anti-Forensics and Stealth
A defining feature of the Axios supply chain attack was its emphasis on evasion. The dropper used layered obfuscation techniques, including XOR encoding and base64 transformations, to hide its logic.
After execution, it erased itself and replaced its configuration files with clean versions. This meant that developers inspecting their node_modules directory after installation would find no obvious signs of compromise.
Runtime analysis revealed a 36-second gap between the initial installation and the cleanup process, just enough time for the malware to establish persistence.
Impact and Response
Axios is one of the most widely used HTTP libraries in the JavaScript ecosystem, with over 300 million weekly downloads. This made the attack particularly dangerous, as even a short-lived malicious release could impact thousands of projects.
Developers who installed [email protected] or [email protected] are advised to treat their systems as fully compromised. Safe versions include 1.14.0 and 0.30.3.
Recommended actions include:
- Rotating all credentials, including API keys and tokens
- Reviewing network logs for suspicious outbound connections
- Rebuilding affected systems entirely rather than attempting partial cleanup
- Reinstalling dependencies with scripts disabled
