{"id":54609,"date":"2026-03-31T14:00:06","date_gmt":"2026-03-31T10:00:06","guid":{"rendered":"https:\/\/azat.tv\/en\/?p=54609"},"modified":"2026-04-06T22:28:13","modified_gmt":"2026-04-06T18:28:13","slug":"axios-supply-chain-attack-npm-security","status":"publish","type":"post","link":"https:\/\/azat.tv\/en\/axios-supply-chain-attack-npm-security\/","title":{"rendered":"Axios Supply Chain Attack: What Developers Need to Know Now"},"content":{"rendered":"<div style=\"background: #f7fafc; padding: 15px;\">\n<p><strong>Quick Read<\/strong><\/p>\n<ul>\n<li>Axios versions 1.14.1 and 0.30.4 contain a malicious dependency that deploys a cross-platform RAT.<\/li>\n<li>The attack, likely conducted by an APT actor, aims for intelligence gathering and credential harvesting rather than financial gain.<\/li>\n<li>Developers must immediately downgrade to version 1.14.0 or 0.30.3 and rotate all system credentials if compromise is detected.<\/li>\n<\/ul>\n<\/div>\n<p>A high-stakes supply chain attack has targeted the widely used Axios HTTP client, resulting in the distribution of a cross-platform remote access trojan (RAT) through the npm registry. Security researchers at StepSecurity and Socket confirmed that versions 1.14.1 and 0.30.4 of Axios were compromised after attackers gained control of the primary maintainer\u2019s npm account.<\/p>\n<h2>Understanding the Axios Compromise and Payload<\/h2>\n<p>The attackers bypassed standard security protocols by hijacking the account of maintainer Jason Saayman, allowing them to publish malicious versions of the package directly to npm. This circumvented the project&#8217;s established GitHub Actions CI\/CD pipeline, making the poisoned versions appear legitimate to many automated systems. According to analysts, the attack was highly coordinated, with the malicious dependency <em>plain-crypto-js<\/em> being staged 18 hours before the Axios updates were released.<\/p>\n<p>Once installed, the malicious dependency executes a hidden <em>postinstall<\/em> script designed to drop a RAT tailored to the host operating system. On macOS, the malware fetches a binary and executes it via AppleScript; on Windows, it masquerades as the Terminal application; and on Linux, it deploys a Python-based script. The malware is specifically engineered to cover its tracks by deleting the initial script and restoring a clean version of the <em>package.json<\/em> file to evade detection during forensic audits.<\/p>\n<h2>Stakes and Scope of the Attack<\/h2>\n<p>With Axios facilitating hundreds of millions of weekly downloads across major enterprise frameworks, the potential blast radius of this breach is significant. Unlike typical opportunistic attacks involving crypto-miners, this campaign exhibits the hallmarks of an Advanced Persistent Threat (APT). Security experts note that the absence of financial-gain markers suggests the primary objective is intelligence gathering and credential harvesting, with evidence of reconnaissance targeting sensitive <em>.ssh<\/em> and <em>.aws<\/em> directories.<\/p>\n<p>Beyond the primary Axios versions, researchers identified that the malicious <em>plain-crypto-js<\/em> dependency has also been distributed through other packages, including <em>@shadanai\/openclaw<\/em> and <em>@qqbrowser\/openclaw-qbot<\/em>. These findings underscore the danger of vendored dependencies in the modern JavaScript ecosystem.<\/p>\n<h2>Immediate Remediation Steps for Developers<\/h2>\n<p>Developers are urged to audit their environments immediately. If you have installed Axios versions 1.14.1 or 0.30.4, you must downgrade to versions 1.14.0 or 0.30.3 and remove the <em>plain-crypto-js<\/em> package from your <em>node_modules<\/em> directory. Furthermore, security teams should scan network logs for traffic to the command-and-control domain <em>sfrclak.com<\/em> or the IP address <em>142.11.206.73<\/em>. If any artifacts of the RAT are discovered, it must be assumed that the system is compromised, and all credentials, including SSH keys and cloud access tokens, should be rotated immediately.<\/p>\n<p><em>The precision of the self-destructing forensic cleanup and the strategic staging of the decoy dependency indicate that this breach was a targeted operation rather than a random injection, signaling a shift toward more sophisticated, long-term intelligence gathering tactics within the open-source software supply chain.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A sophisticated supply chain attack on the Axios HTTP client has compromised versions 1.14.1 and 0.30.4, deploying a cross-platform remote access trojan.<\/p>\n","protected":false},"author":1,"featured_media":-1,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"googlesitekit_rrm_CAow5Nm1DA:productID":"","footnotes":""},"categories":[24],"tags":[37194,285,53805,53807,53806],"class_list":["post-54609","post","type-post","status-publish","format-standard","hentry","category-it","tag-axios","tag-cybersecurity","tag-npm","tag-rat","tag-supply-chain-attack"],"featured_image_url":"https:\/\/azat.tv\/wp-content\/uploads\/2026\/03\/code-security-vulnerability.jpg","_embedded":{"wp:featuredmedia":[{"id":-1,"source_url":"https:\/\/azat.tv\/wp-content\/uploads\/2026\/03\/code-security-vulnerability.jpg","media_type":"image","mime_type":"image\/jpeg"}]},"_links":{"self":[{"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/posts\/54609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/comments?post=54609"}],"version-history":[{"count":0,"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/posts\/54609\/revisions"}],"wp:attachment":[{"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/media?parent=54609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/categories?post=54609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/azat.tv\/en\/wp-json\/wp\/v2\/tags?post=54609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}