By ByteBot
Attackers compromised axios on March 31, 2026—one of JavaScript’s most critical HTTP clients with 83 million weekly downloads—by hijacking the lead maintainer’s npm account and publishing two malicious versions containing a cross-platform remote access trojan. The attack represents the most sophisticated supply chain compromise ever documented on a top-10 npm package, bypassing GitHub’s CI/CD safeguards with advanced tradecraft that included 18-hour staging, self-erasing malware, and platform-specific payloads for macOS, Windows, and Linux.
Maintainer Account Hijacked, CI/CD Bypassed
The attackers gained control of the jasonsaayman npm account—axios’s lead maintainer—changed the registered email to ifstap@proton.me (an anonymous ProtonMail address), and published malicious versions manually via npm CLI. This completely bypassed the project’s normal GitHub Actions pipeline, which uses cryptographic OIDC verification to ensure package integrity. No corresponding GitHub commits or tags exist for the poisoned releases.
Both malicious versions (axios@1.14.1 and axios@0.30.4) injected a fake dependency called plain-crypto-js@4.2.1 that’s never imported in axios source code. Its only purpose: executing a postinstall script that deployed the RAT. The sophistication shows in the timing—attackers pre-staged the malicious dependency 18 hours before the axios compromise (March 30, 23:59:12 UTC) and hit both release branches within 39 minutes.
Maintainer credentials shouldn’t be the keys to the kingdom. Yet here we are: a single compromised account can distribute malware to 83 million weekly downloads, and legitimate maintainers can’t regain control because the attacker changed the recovery email.
Self-Erasing RAT with Multi-Platform Payloads
The postinstall script deployed a RAT dropper that detected the operating system, contacted a command-and-control server (sfrclak.com:8000), downloaded platform-specific second-stage payloads, established persistence, and self-destructed. The malware used two-layer obfuscation (XOR cipher plus base64) to hide its payload strings before execution.
Each operating system got its own infection vector. On macOS, the dropper downloaded a RAT to /Library/Caches/com.apple.act.mond—a path mimicking Apple’s system cache naming conventions. Windows systems received %PROGRAMDATA%\wt.exe, spoofing Windows Terminal. Linux installations executed a Python dropper at /tmp/ld.py via nohup for background persistence.
The evidence destruction is what makes this particularly dangerous. After infection, the dropper deleted its setup script, removed the malicious package.json, and renamed a pre-staged clean package.md into place. Standard post-infection forensics reveal nothing suspicious without deep system-level analysis. Socket detected the attack within 6 minutes of publication, but by then the poisoned versions were already distributed.
Related: LiteLLM Supply Chain Attack: 3.4M Downloads Compromised via Trivy
Immediate Action Required
If you ran npm install or npm update between March 30 evening and March 31, check your systems now. Downgrade to safe versions immediately: axios@1.14.0 for 1.x users, axios@0.30.3 for 0.x users.
Check if you’re affected with this command:
# Search package-lock.json for compromised versions
grep -r "axios.*1\.14\.1\|axios.*0\.30\.4\|plain-crypto-js" package-lock.json
# Check if malicious dependency was installed
ls node_modules/plain-crypto-js/
If you find evidence of compromise, assume full system compromise. Check for infection artifacts at the paths mentioned above. Rotate all secrets, API keys, and credentials stored on or accessed by that system. Review outbound network connections for contact with sfrclak.com. Consider full system rebuilds for critical infrastructure.
CI/CD systems that ran during the compromise window are particularly dangerous—they may have distributed infected code to production environments, multiplying the attack surface exponentially. Audit your build logs and deployment history.
npm’s Security Model Failures
This is the third major npm supply chain attack in six months. In September 2025, the Shai-Hulud worm poisoned 500+ packages—the first wormable npm malware in history. That same month, the qix compromise hit 18 packages with 2.6 billion weekly downloads combined, targeting cryptocurrency transactions. axios tops them both in operational sophistication.
The pattern is clear: maintainer accounts are single points of failure, email changes happen without additional verification, and manual CLI publishing bypasses CI/CD safeguards. npm’s planned security improvements—mandatory FIDO 2FA, disallowing tokens by default, enforcing trusted publishing—are still in development. Meanwhile, third-party tools like Socket and StepSecurity are catching these attacks, not npm itself.
Developers can’t wait for npm to fix systemic issues. Use npm ci --ignore-scripts in CI/CD to prevent postinstall scripts from running. Pin exact versions in package-lock.json instead of using semver ranges. Employ dependency scanning tools like Socket or Snyk for automated monitoring. Consider native alternatives like the fetch API to reduce your dependency surface.
Key Takeaways
- axios@1.14.1 and axios@0.30.4 are compromised—downgrade to 1.14.0 or 0.30.3 immediately and check for infection artifacts
- The attack bypassed GitHub’s CI/CD safeguards by hijacking maintainer credentials, demonstrating that npm’s security model has fundamental single-point-of-failure vulnerabilities
- Self-erasing malware with platform-specific payloads (macOS, Windows, Linux) and 18-hour staging shows nation-state-level sophistication
- Third-party tools (Socket, StepSecurity) detected the attack within 6 minutes while official npm tooling failed—developers need layered defenses
- Use
--ignore-scriptsin CI/CD, pin exact versions, and employ automated dependency scanning to defend against future attacks
