The Axios npm package has been compromised in a supply chain attack that uploaded new versions of the package containing malicious code. Any environment that downloaded these compromised Axios versions is at risk of severe data theft, including the loss of credentials and API keys. Scan your environment now.
Key takeaways
- This incident is a confirmed supply chain attack. The presence of malicious Axios versions (1.14.1 or 0.30.4) signifies a confirmed security breach rather than a potential risk. Organizations must move beyond “patching” and initiate full incident response playbooks for any host where these packages are detected.
- If affected, organizations must immediately quarantine hosts, apply incident response playbooks, and rotate all exposed secrets. In the last supply chain attacks we observed, attackers were very quick to abuse any exposed secrets, credentials, or API keys, usually abusing them a couple of hours after leakage. This highlights how short the window is for response for defenders.
- Because these attacks will keep happening, passive defense is insufficient. Organizations must implement strict security measures — such as minimum package age policies, pinning dependencies, auditing lockfiles, and actively scanning environments — to protect against the next inevitable supply chain compromise.
Introduction: Axios supply chain compromise
A critical software supply chain attack compromised “Axios,” a highly popular npm package with over 100 million weekly downloads, commonly used as a promise-based HTTP client for the browser and Node.js.
Attackers successfully hijacked a maintainer account and embedded a hidden, malicious dependency into two newly published versions of Axios. The attacker injected a malicious package called “plain-crypto-js” into the dependency tree of the Axios package. The package “plain-crypto-js” utilized a postinstall script to execute a remote access trojan (RAT) dropper during the installation process.
Because the embedded malware executes immediately upon installation of this highly popular NPM package, the scope of this breach is potentially massive. Any environment that downloaded these compromised versions of Axios is at risk of severe data theft, including the loss of credentials and API keys.
Frequently asked questions (FAQs) about Axios supply chain attack
When was the Axios npm package first compromised?
The first malicious versions of Axios were uploaded on March 31, 2026 at 1 AM UTC.
What happened? What did threat actors do?
Attackers hijacked the npm account of Axios’s lead maintainer and published two malicious versions of the Axios package: version “1.14.1” and version “0.30.4”.
Rather than altering Axios’s source code, they added “plain-crypto-js@4.2.1” as a dependency for the Axios package.
Installing “plain-crypto-js” automatically executes a double-obfuscated Node.js dropper (setup.js) using npm’s postinstall lifecycle hook. “postinstall” hooks can be used to execute code during the installation process. This is a very common technique used by malicious npm packages that we expect to see more and more in the future.
Once deobfuscated, the dropper identified the victim’s host operating system and reached out to the attacker’s command and control (C2) server (sfrclak[.]com:8000) to pull a second-stage payload.
The second stage payload is a RAT tailored to the OS, supporting MacOS, Windows, and Linux.
Has the Axios developer addressed this issue?
All of the malicious versions of Axios have been removed from the public registry. It is now safe to install new versions of Axios.
How can I tell if I’m running malicious versions of Axios?
To determine if you are affected, scan your environment for the presence of the malicious versions of the affected packages. Look specifically for versions 1.14.1 and 0.30.4 and these other indicators of compromise (IOCs):
| Name | IOC |
|---|---|
| Infected Package | Name: “Axios” Version: “1.14.1” |
| Infected Package | Name: “Axios” Version: “0.30.4” |
| Infected Package |
Name: “plain-crypto-js” Version : all |
| SHA256 of Javascript dropper named “setup.js” | e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 |
| Attacker C2 Domain | sfrclak[.]com |
The presence of the vulnerable versions in the filesystem likely means that it was installed using the npm package manager, and therefore, infected the relevant host.
That’s why you should treat any
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: