Axios Supply Chain Attack Exposes Developers to Hidden Malware Threats
On March 31, 2026, the cybersecurity landscape was shaken by a significant supply chain attack targeting the popular JavaScript library, Axios. This incident highlighted the vulnerabilities inherent in the npm ecosystem, demonstrating how a compromised maintainer account can facilitate the widespread distribution of malware. Attackers exploited a hijacked Axios maintainer account to introduce a cross-platform remote access trojan (RAT) through poisoned releases of the library.
Security researchers identified two malicious versions of Axios, specifically 1.14.1 and 0.30.4, which were published to npm without undergoing the standard GitHub Actions CI/CD pipeline. Instead, these releases were manually pushed using stolen credentials from a trusted npm account belonging to a core Axios maintainer. The attackers altered the account’s registered email to a ProtonMail address, allowing them to bypass the cryptographic protections typically enforced by trusted publishing workflows. As a result, the malicious releases initially appeared legitimate.
Hidden Dependency and Malware Deployment
Crucially, the malicious code was not embedded directly within Axios itself. Instead, the attackers injected a fake dependency, [email protected], which was never referenced in the Axios source code. This package’s sole purpose was to execute a post-install script that deployed the RAT. Once installed, the dependency triggered a script (node setup.js) that contacted a live command-and-control (C2) server at http://sfrclak.com:8000/6202033. The malware then delivered platform-specific payloads targeting macOS, Windows, and Linux systems.
After execution, the malicious package erased traces of its presence by deleting its own package.json file and replacing it with a clean decoy version. This tactic effectively concealed evidence of compromise during post-installation inspections.
Timeline of the Axios Supply Chain Attack
The Axios supply chain attack unfolded over approximately 18 hours, following a carefully orchestrated timeline:
- March 30, 2026 – 05:57 UTC: A clean version of [email protected] was published to establish credibility.
- March 30, 2026 – 23:59 UTC: The malicious version 4.2.1 was released, introducing the RAT dropper.
- March 31, 2026 – 00:21 UTC: [email protected] was published using the compromised npm account.
- March 31, 2026 – 01:00 UTC: [email protected] followed, targeting legacy users.
- ~03:15 UTC: Both malicious Axios versions were removed from npm.
- 03:25 UTC: npm placed a security hold on plain-crypto-js.
- 04:26 UTC: A security placeholder package replaced the malicious dependency.
The poisoned Axios versions remained available for nearly three hours, while the malicious dependency was live for over four hours.
How the Attack Worked
The attacker gained access to a primary Axios maintainer account and utilized it to publish new versions directly to npm. Unlike legitimate releases, which are tied to GitHub Actions using OIDC authentication, these malicious versions lacked any trusted publisher metadata or corresponding Git commits. This discrepancy became a key forensic indicator, as legitimate releases showed automated publishing records, while the compromised versions appeared as manually uploaded artifacts.
Dependency Injection Strategy
The attacker subtly inserted plain-crypto-js@^4.2.1 into Axios’s dependency list, ensuring that every other dependency remained identical to the previous clean versions. Because npm automatically installs dependencies, the malicious package executed without requiring any direct interaction from developers. A simple npm install was sufficient to trigger the attack. A review of the Axios codebase confirmed that the injected dependency was never used, marking it as a “phantom dependency,” a strong indicator of tampering.
Cross-Platform RAT Behavior
The malware deployed different payloads depending on the operating system:
- macOS: Utilized AppleScript to download and execute a binary stored in /Library/Caches, disguised as a legitimate system process.
- Windows: Leveraged VBScript and PowerShell to download and execute a RAT, while disguising persistence mechanisms as system binaries.
- Linux: Downloaded a Python script (/tmp/ld.py) and executed it in the background using nohup.
Each variant communicated with the same C2 server but used different identifiers to receive tailored payloads. The traffic was designed to resemble legitimate npm registry activity, aiding in evading detection.
Anti-Forensics and Stealth
A defining feature of the Axios supply chain attack was its emphasis on evasion. The dropper employed layered obfuscation techniques, including XOR encoding and base64 transformations, to conceal its logic. After execution, it erased itself and replaced its configuration files with clean versions, ensuring that developers inspecting their node_modules directory post-installation would find no obvious signs of compromise. Runtime analysis revealed a 36-second gap between the initial installation and the cleanup process, providing just enough time for the malware to establish persistence.
Impact and Response
Axios is one of the most widely utilized HTTP libraries in the JavaScript ecosystem, boasting over 300 million weekly downloads. This made the attack particularly dangerous, as even a short-lived malicious release could impact thousands of projects. Developers who installed [email protected] or [email protected] are advised to treat their systems as fully compromised. Safe versions include 1.14.0 and 0.30.3.
Recommended actions for affected developers include:
- Rotating all credentials, including API keys and tokens.
- Reviewing network logs for suspicious outbound connections.
- Rebuilding affected systems entirely rather than attempting partial cleanup.
- Reinstalling dependencies with scripts disabled.
For further details on this incident, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence, and breaking updates from across the Middle East.
