Axios npm packages backdoored in supply chain attack

An unknown attacker has compromised the GitHub and npm accounts of the main developer of Axios, a widely used HTTP client library, and published npm packages backdoored with a malicious dependency that triggered the installation of droppers and remote access trojans.

How the attack unfolded

On March 30, 2026, with an account using a separate throwaway ProtonMail address, the attacker published on NPM a trojanized copy of the popular crypto-js JavaScript library of crypto standards.

This malicious plain-crypto-js@4.2.1 package was designed to look legitimate, but contained a postinstall script/hook that executes automatically on every npm install.

Then, in the early hours (UTC) of March 31, 2026, the attacker used the compromised Axios maintainer account (on which they changed the email to another ProtonMail address to lock out Jason Saayman, the rightful owner), and published backdoored axios releases in relatively quick succession.

These malicious packages – axios@1.14.1 and axios@0.30.4 – contained plain-crypto-js@4.2.1 as a runtime dependency.

“When a developer runs npm install axios@1.14.1 [or axios@0.30.4], npm resolves the dependency tree and installs plain-crypto-js@4.2.1 automatically. npm then executes plain-crypto-js’s postinstall script, launching the dropper [setup.js],” Step Security researchers explained.

“The dropper contacts a live command-and-control server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json [configuration file] with a clean decoy, leaving a developer who inspects their node_modules folder after the fact with no indication anything went wrong.”

According to OpenSourceMalware, the entire process, from installation to full compromise, took approximately 15 seconds.

What to do if you installed the backdoored Axios npm versions

Developers who have installed axios@1.14.1 or axios@0.30.4 should assume their system has been compromised and should isolate it from the network.

Step Security advises:

• Searching for malicious axios versions in their project
• Checking for plain-crypto-js in node_modules (i.e., the folder in a JavaScript project that contains all the installed packages their app needs to run). Its presence means the dropper run.
• Checking for the presence of the system-specific RAT on their system (/Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%\wt.exe on Windows, /tmp/ld.py on Linux).

“If a RAT artifact is found: treat the system as fully compromised. Do not attempt to clean in place – rebuild from a known-good state,” the researchers added.

“Rotate all credentials on any system where the malicious package ran: npm tokens, AWS access keys, SSH private keys, cloud credentials (GCP, Azure), CI/CD secrets, and any values present in .env files accessible at install time.”

They also advised the developer community to:

• Downgrade axios to a clean version (1.14.0 or 0.30.3) and pin it
• Add an overrides block to prevent transitive resolution back to the malicious versions
• Remove plain-crypto-js from node_modules
• Audit CI/CD pipelines for runs that installed the affected versions and rotate secrets for any workflow that executed them
• use –ignore-scripts in CI/CD to prevent postinstall hooks from running during automated builds
• Block known malicious C2 traffic to/from 142.11.206.73 and sfrclak.com.

Widespread impact

The malicious Axios NPM packages were live for approximately 2 hours 53 minutes and 2 hours 15 minutes, the researches said.

“Although the malicious versions were removed within a few hours, axios’s widespread usage – present in ~80% of cloud and code environments and downloaded ~100 million times per week – enabled rapid exposure, with observed execution in 3% of affected environments,” Wiz researchers noted.

The extensive system reconnaissance, file enumeration, and process monitoring indicate intelligence gathering operations, credential harvesting, source code theft, and preparation for lateral movement, according to OpenSourceMalware.

The absence of cryptocurrency mining or ransomware components indicates that this is not financially motivated cybercrime, but rather espionage or advanced persistent threat (APT) activity.

This compromise comes just days after financially-motivated TeamPCP effected a series of cascading supply chain attacks that targeted Aqua’s Trivy security scanner, CheckMarx’s VS Code extensions, LiteLLM, and Telnyx.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!