Full Report
The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency. Versions 1.14.1 and 0.30.4 of Axios have been found to inject "plain-crypto-js" version 4.2.1 as a fake dependency. According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios
Analysis Summary
# Incident Report: Axios Supply Chain Attack (March 2026)
## Executive Summary
The popular JavaScript HTTP client **Axios** (83+ million weekly downloads) was the target of a sophisticated supply chain attack involving the injection of a malicious dependency called `plain-crypto-js`. Attackers leveraged compromised npm credentials of a primary maintainer to bypass CI/CD pipelines and publish poisoned versions of the package. The attack delivered a cross-platform Remote Access Trojan (RAT) targeting Windows, macOS, and Linux systems.
## Incident Details
- **Discovery Date:** March 31, 2026
- **Incident Date:** March 30–31, 2026
- **Affected Organization:** Axios Open Source Project (and its millions of downstream users)
- **Sector:** Technology / Software Development (Global)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-March 30, 2024
- **Vector:** Credential Theft / Account Takeover
- **Details:** Attackers obtained a long-lived classic npm access token for the maintainer account "jasonsaayman." They updated the account email to a Proton Mail address (`ifstap[.]proton[.me]`) to maintain control.
### Lateral Movement
- **Details:** Using the compromised credentials, the attacker bypassed the GitHub Actions CI/CD pipeline and published directly to the npm registry.
### Data Exfiltration/Impact
- **Details:** Execution of a cross-platform RAT dropper via a `postinstall` script. The malware established command-and-control (C2) to download second-stage payloads tailored to the victim's OS.
### Detection & Response
- **Discovery:** Identified by security researchers at StepSecurity on March 31, 2026.
- **Response Actions:** Malicious versions were pulled from the npm registry; public advisories were issued instructing users to downgrade and rotate secrets.
## Attack Methodology
- **Initial Access:** Compromised npm account of a lead maintainer via stolen access tokens.
- **Persistence:** Changing the maintainer's registered email; installation of platform-specific RATs.
- **Defense Evasion:**
- The dropper deletes itself after execution.
- Malicious `package.json` is replaced with a clean version post-infection.
- Use of fake names/disguises (e.g., renaming PowerShell to `wt.exe`).
- **Credential Access:** Theft of "classic" long-lived npm auth tokens.
- **Discovery:** System fingerprinting via "setup.js" to determine OS (Windows vs. macOS vs. Linux).
- **Lateral Movement:** N/A (Project-level supply chain injection).
- **Exfiltration:** POST requests to C2 containing system metadata.
- **Impact:** Remote command execution and potential data theft via C++ (macOS), PowerShell (Windows), and Python (Linux) RATs.
## Impact Assessment
- **Financial:** High potential cost for organizations requiring incident response and secret rotation.
- **Data Breach:** Exposure of environment variables, API keys, and credentials stored on developer machines or servers running affected Axios versions.
- **Operational:** Disruption to CI/CD pipelines as organizations scramble to audit and downgrade dependencies.
- **Reputational:** Significant impact on the perceived security of the npm ecosystem and the Axios project.
## Indicators of Compromise
- **C2 Domains:** `sfrclak[.]com:8000`, `packages[.]npm[.]org/product0`, `packages[.]npm[.]org/product1`, `packages[.]npm[.]org/product2`
- **File Indicators:**
- `[email protected]`
- `/Library/Caches/com.apple.act.mond` (macOS)
- `%PROGRAMDATA%\wt.exe` (Windows - if PowerShell copy)
- `/tmp/ld.py` (Linux)
- **Behavioral:** Outbound connections from Node.js processes to unknown ports (8000) immediately following package installation.
## Response Actions
- **Containment:** Removal of `[email protected]`, `[email protected]`, and `[email protected]` from npm.
- **Eradication:** Users advised to downgrade to `1.14.0` or `0.30.3`.
- **Recovery:** Compulsory rotation of all secrets (API keys, AWS credentials, DB passwords) that were present in environments where the malicious versions were installed.
## Lessons Learned
- **Token Management:** The reliance on "classic" long-lived npm tokens remains a critical failure point for major open-source projects.
- **MFA/Account Security:** Service providers (npm) must enforce stricter verification for email changes on high-impact accounts.
- **Pipeline Integrity:** Direct publishing to registries (bypassing CI/CD) should be alerted upon or restricted by registry policies.
## Recommendations
- **For Maintainers:** Use short-lived OIDC tokens for publishing; enable Two-Factor Authentication (2FA) for all registry actions; monitor for unauthorized email/account changes.
- **For Consumers:** Implement dependency pinning and use tools like `npm audit` or Socket.dev to detect "unusual" dependency additions (like `plain-crypto-js`). Incorporate "lockfile" integrity checks in CI/CD.