Home / When Trust Becomes a Weapon: The Axios npm Supply Chain Attack

When Trust Becomes a Weapon: The Axios npm Supply Chain Attack

Ng Chong

On the morning of March 31, 2026, one of the most widely used JavaScript libraries in the world was quietly turned into a malware delivery system. For just under three hours, any developer or automated pipeline that ran npm install may have unwittingly handed attackers the keys to their infrastructure.

What Happened

Axios, an HTTP client with roughly 100 million weekly downloads — was compromised through its own trusted distribution channel. The Hacker News An attacker compromised the npm account of the primary Axios maintainer (“jasonsaayman”) and changed its registered email address to an attacker-controlled ProtonMail address (ifstap@proton.me), then published two backdoored versions: axios@1.14.1 and axios@0.30.4. Stepsecurity

The malicious versions were live on npm for approximately two to three hours, between ~00:21 and ~03:15 UTC, before detection and removal. SANS Institute

Neither version touched a single line of Axios’s actual source code. Instead, both injected a single new dependency, plain-crypto-js@4.2.1, a purpose-built package whose postinstall hook silently downloaded and executed platform-specific second-stage RAT implants from sfrclak[.]com:8000. Elastic

The dropper contacted a live command-and-control server, delivered separate second-stage payloads for macOS, Windows, and Linux, then erased itself and replaced its own package.json with a clean decoy, leaving a developer who inspected their node_modules folder after the fact with no indication anything had gone wrong. Help Net Security The entire process took approximately 15 seconds.

How the Account Was Compromised

The attacker bypassed the normal GitHub Actions OIDC-based CI/CD publishing workflow by publishing directly via the npm CLI using a long-lived access token. One critical detail: even on the v1.x branch where OIDC Trusted Publishing was configured, the publish workflow still passed NPM_TOKEN as an environment variable alongside OIDC credentials. When both are present, npm uses the token, meaning the long-lived token was effectively the authentication method for all publishes, regardless of OIDC configuration. Huntress

The real maintainer later stated in GitHub issue #10604: “im trying to get support to understand how this even happened. i have 2fa / mfa on practically everything.” Huntress That statement highlights a hard truth: MFA on your login doesn’t protect a long-lived token that was issued before the attack and never rotated.

Why This Attack Was Different

What makes this incident stand out is the level of premeditation. The attack was pre-staged across roughly 18 hours, with the malicious dependency seeded on npm before the axios releases to avoid “brand-new package” alarms from security scanners. Stepsecurity The threat actor pre-staged the attack the day prior by creating a throwaway npm account and publishing a decoy package (plain-crypto-js@4.2.0) to appear legitimate, followed by the malicious version. Arctic Wolf Both the current and legacy release branches were hit within 39 minutes of each other. Platform-specific payloads were pre-built for all three major operating systems. Every step was designed to maximize reach and minimize detection.

The dropper used two layers of obfuscation to avoid static analysis: reversed Base64 encoding with padding character substitution, and an XOR cipher with the key OrDeR_7077. Snyk

The first infection on a Huntress-monitored endpoint landed 89 seconds after axios@1.14.1 was published, consistent with automated CI/CD pipelines and developer machines using caret ranges (^1.x) without locked dependencies. Huntress

The attack bypassed the project’s GitHub Actions CI/CD pipeline entirely by publishing directly via stolen credentials — a reminder that code signing and automated pipelines only protect what they can see.

Who’s Behind It

Google Threat Intelligence Group (GTIG) attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2 — an updated version of a backdoor previously used by this threat actor. Google Cloud

WAVESHAPER.V2 is a direct evolution of WAVESHAPER, a macOS and Linux backdoor previously attributed to UNC1069. While the original used a lightweight binary C2 protocol, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands. Google Cloud

John Hultquist, Chief Analyst at GTIG, noted that North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency, and that the full breadth of this incident remains unclear. Help Net Security

This is not the only active supply chain threat campaign. Early analysis indicates the Axios attack may be connected to the broader TeamPCP supply chain campaign, which between March 19 and 27, 2026 compromised four widely used open-source projects in rapid succession: the Trivy vulnerability scanner, the KICS infrastructure-as-code scanner, the LiteLLM AI proxy library on PyPI, and the Telnyx communications library on PyPI. SANS Institute However, GTIG has stated that the Axios incident is unrelated to the recent TeamPCP supply chain issues Help Net Security, suggesting that multiple sophisticated threat actors are running parallel campaigns against open-source infrastructure simultaneously.

The Blast Radius

Within the partner base of Huntress, at least 135 endpoints across all operating systems were observed contacting the attacker’s command-and-control infrastructure during the exposure window. Huntress Wiz researchers noted that the malware’s widespread usage, present in roughly 80% of cloud and code environments, enabled rapid exposure, with observed execution in 3% of affected environments. Help Net Security

Once installed, the RAT beaconed to the C2 server, harvesting SSH keys, cloud credentials (AWS, Azure, GCP), Kubernetes tokens, .env files, API keys, and crypto wallets, with full remote shell access to affected systems.

Mandiant CTO Charles Carmakal warned that the secrets stolen across recent supply chain attacks over the past two weeks will lead to further compromises, crypto theft, ransomware, and extortion events and that the firm is already aware of hundreds of thousands of stolen credentials across multiple campaigns. Bleeping Computer

It’s important to note that end users of apps built with Axios are not directly affected. The infection path is the install/build step, not app runtime, meaning developers, CI/CD pipelines, and build environments are the targets, not browsers loading a site. Malwarebytes

No CVE was assigned to this incident. Traditional vulnerability scanners will not flag it.

What to Do

If your organization uses Node.js, check your lockfiles (package-lock.json, yarn.lock) for axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1. If any are present:

  • Treat affected systems as fully compromised — do not attempt to clean them; rebuild from a known-clean snapshot or base image
  • Rotate all secrets immediately — npm tokens, cloud access keys, SSH keys, database credentials, API tokens, GitHub tokens; revoke and reissue, don’t rotate in place
  • Downgrade to axios@1.14.0 (1.x) or axios@0.30.3 (0.x)
  • Check outbound logs for connections to sfrclak[.]com or 142.11.206.73
  • Audit CI build logs for the March 31, 2026 UTC window to identify which pipelines installed affected versions

Any post-infection inspection of node_modules/plain-crypto-js/package.json will show a completely clean manifest — no postinstall script, no setup.js, no indication anything malicious was ever installed. Running npm audit or manually reviewing the installed package directory will not reveal the compromise. Malwarebytes If you were in the exposure window, assume the worst regardless of what local inspection shows.

The malicious packages have been removed from npm, but damage to systems that installed them during the exposure window is already done.

The Bigger Picture

Supply chain attacks are not new, but this one crystallizes how a single compromised maintainer account — not a zero-day, not a nation-state exploit at the network layer — can become a weapon pointed at millions of systems simultaneously.

The absence of cryptocurrency mining or ransomware components in the payload indicates this is not opportunistic cybercrime, but rather intelligence gathering operations, credential harvesting, source code theft, and preparation for lateral movement. Help Net Security The credentials harvested here are likely fuel for the next wave of attacks.

The harder lessons are structural. OIDC Trusted Publishing offers a stronger publishing security model than long-lived tokens but only if long-lived tokens are fully revoked and not left as a fallback. Lockfiles save organizations from automatically resolving to the latest compatible version. Monitoring outbound connections from CI runners can catch compromises within seconds of detonation, as demonstrated here.

Maintainer account security — hardware keys, regular token audits, full revocation of long-lived tokens — is no longer optional. Neither is supply chain monitoring at the registry level.

References

  1. StepSecurity — axios Compromised on npm: Malicious Versions Drop Remote Access Trojanhttps://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
  2. Huntress — Supply Chain Compromise of axios npm Packagehttps://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
  3. Elastic Security Labs — Inside the Axios supply chain compromise: one RAT to rule them allhttps://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all
  4. Google Cloud / GTIG — North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attackhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package
  5. Snyk — Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAThttps://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform
  6. BleepingComputer — Hackers compromise Axios npm package to drop cross-platform malwarehttps://www.bleepingcomputer.com/news/security/hackers-compromise-axios-npm-package-to-drop-cross-platform-malware
  7. Help Net Security — Axios npm packages backdoored in supply chain attackhttps://www.helpnetsecurity.com/2026/03/31/axios-npm-backdoored-supply-chain-attack
  8. The Hacker News — Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Accounthttps://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
  9. SANS Institute — Axios NPM Supply Chain Compromise: Malicious Packages Deliver Remote Access Trojanhttps://www.sans.org/blog/axios-npm-supply-chain-compromise-malicious-packages-remote-access-trojan
  10. Arctic Wolf — Supply Chain Attack Impacts Widely Used Axios npm Packagehttps://arcticwolf.com/resources/blog/supply-chain-attack-impacts-widely-used-axios-npm-package
  11. Malwarebytes — Axios supply chain attack chops away at npm trusthttps://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust
  12. CyberScoop — Attack on axios software developer tool threatens widespread compromiseshttps://cyberscoop.com/axios-software-developer-tool-attack-compromise