The Axios npm Supply Chain Attack: What Happened, Who Did It, and How to Stay Safe

On March 30–31, 2026, the JavaScript developer community was rocked by one of the most significant npm supply chain attacks in recent memory. The target: Axios, one of the most widely used HTTP client libraries in the entire JavaScript ecosystem — a package downloaded over 100 million times per week and present in an estimated 80% of cloud and production environments worldwide.

The attack was swift, surgical, and devastating in its potential. Within a three-hour window, compromised versions of Axios were live on the npm registry, silently installing a cross-platform Remote Access Trojan (RAT) on the machines of unsuspecting developers, CI/CD systems, and production servers. Understanding exactly how it happened — and what it means for your development workflow — is not optional. It is critical.

What Is Axios and Why Does It Matter?

Before diving into the attack mechanics, it's worth appreciating exactly how deeply embedded Axios is in the modern JavaScript world. Axios is a promise-based HTTP client that works both in the browser and in Node.js environments. It simplifies web requests — things like fetching data from an API or submitting a form — saving developers from writing verbose low-level networking code.

Because of its reliability and ease of use, Axios has become a foundational dependency across the ecosystem. It is embedded in React, Vue, and Angular applications, mobile apps built with React Native, desktop apps using Electron, CI/CD pipelines, and backend services powering everything from startups to enterprise infrastructure. If you are a JavaScript developer, there is a very good chance Axios is somewhere in your dependency tree — even if you have never explicitly installed it yourself.

How the Attack Was Staged

What makes this attack particularly sophisticated is its careful pre-staging. The attacker did not simply inject malicious code overnight. The operation was planned over multiple days with deliberate operational discipline.

On March 30, 2026, using a throwaway ProtonMail address, the attacker created a new npm account and published a package called plain-crypto-js — designed to look like a legitimate crypto utility library, mimicking the well-known crypto-js standards package. The attacker first published a clean version (plain-crypto-js@4.2.0) to build a short but real package history on the npm registry, lending it an air of legitimacy before the malicious payload.

The attacker then published plain-crypto-js@4.2.1 — the actual payload delivery vehicle. This version contained a critical postinstall hook: a script called setup.js that executes automatically the moment the package is installed via npm install. No user interaction required. No warning. No prompt.

Hijacking the Maintainer Account

The second and more damaging phase of the attack was gaining control of the Axios npm publishing credentials. The attacker compromised the npm and GitHub account of jasonsaayman, the primary lead maintainer of the Axios project. The attacker then changed the registered account email to another ProtonMail address, effectively locking the rightful owner out of his own project.

A critical misconfiguration made this possible at scale. Even though the Axios v1.x branch had OIDC Trusted Publishing configured via GitHub Actions, the publish workflow still passed an NPM_TOKEN environment variable alongside the OIDC credentials. When both are present, npm defaults to using the long-lived token — rendering the OIDC setup irrelevant as a protection. The maintainer himself later stated publicly that he had MFA enabled on practically everything, underlining how targeted and credential-focused this intrusion was, and how token hygiene matters independently of MFA.

💡 Pro tip: Even with MFA and OIDC Trusted Publishing enabled, long-lived npm tokens stored as environment variables can silently override your entire security configuration. Audit all active npm tokens in your account settings today, revoke any that are unused or don't have a clearly defined scope, and switch to short-lived tokens with minimal publish permissions wherever possible.

The Poisoned Releases

In the early hours of March 31, 2026 UTC, using the hijacked maintainer account, the attacker published two backdoored versions of Axios in rapid succession:

axios@1.14.1 — Tagged as latest, meaning any developer or pipeline running npm install axios without an explicit pinned version would receive this malicious build automatically.
axios@0.30.4 — Tagged as legacy, targeting projects still running on the older 0.x API branch and ensuring no legacy codebase was left out of the blast radius.

By poisoning both the latest and legacy dist-tags simultaneously, the attacker maximized exposure across the entire Axios user base in a single operation. Neither malicious version appeared on the official Axios GitHub repository tags, making the compromise invisible to anyone monitoring source code but not the npm registry itself.

Both versions injected plain-crypto-js@4.2.1 as a new dependency — a package that appears nowhere in the actual Axios source code, making it purely a vehicle for executing the malicious postinstall hook.

The Attack Chain: From npm Install to Full Compromise

The delivery mechanism was elegant in its simplicity and terrifying in its speed. When a developer or automated CI/CD system ran npm install axios@1.14.1, npm resolved the dependency tree and automatically installed plain-crypto-js@4.2.1. npm then executed the package's postinstall script — setup.js — without any user confirmation required.

setup.js acted as an obfuscated dropper. It contacted the attacker's command-and-control (C2) server at sfrclak[.]com:8000 and downloaded a platform-specific second-stage payload. The attack then branched into three parallel paths depending on the operating system of the victim:

Windows: A native Windows RAT implant was downloaded and executed, establishing persistence and beginning immediate system reconnaissance.
macOS: A macOS-specific variant of the same RAT was deployed with an identical C2 protocol and command structure.
Linux: A Linux-native implementation targeted developer workstations, cloud VMs, containers, and CI runners operating on Linux distributions.

Researchers at Elastic Security Labs noted what made this particularly alarming: these were not three separate tools cobbled together. They represented a single unified cross-platform RAT framework — identified by Google's Threat Intelligence Group as WAVESHAPER.V2 — with platform-native implementations sharing a common C2 protocol, command set, and beacon behavior. This is the hallmark of a professional, well-resourced threat actor.

Once installed, the RAT performed immediate system reconnaissance: enumerating user directories, filesystem drive roots, and running processes. It then harvested and exfiltrated cloud access keys (AWS, GCP, Azure), database passwords, API tokens, npm publishing tokens, SSH private keys, Kubernetes config files, and CI/CD pipeline secrets — essentially anything a developer's machine or build environment might hold.

Perhaps most chillingly: the dropper cleaned up after itself. After installing the RAT, it removed setup.js entirely and replaced plain-crypto-js/package.json with a completely clean decoy manifest. Running npm audit or manually inspecting node_modules after the fact revealed absolutely nothing suspicious. The entire process, from running npm install to full system compromise, took approximately 15 seconds.

Who Is Behind the Attack?

Google's Threat Intelligence Group (GTIG) has formally attributed this attack to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018. Attribution is based on the deployment of WAVESHAPER.V2 — an evolved version of a backdoor previously linked exclusively to this group — combined with overlapping infrastructure artifacts from past UNC1069 operations.

The attack also comes in the context of a broader wave of supply chain compromises. Between March 19 and March 27, 2026, a related group called TeamPCP (UNC6780) hit four widely used open-source projects in rapid succession: the Trivy vulnerability scanner, the KICS infrastructure-as-code scanner, the LiteLLM AI proxy library on PyPI, and the Telnyx communications library on PyPI. In each case, harvested cloud credentials and CI/CD secrets were validated within hours using TruffleHog.

The absence of ransomware or cryptocurrency mining payloads in the Axios attack leads researchers to classify this as espionage and APT-grade activity — though the hundreds of thousands of stolen secrets now potentially in circulation could enable ransomware, SaaS environment compromises, and cryptocurrency theft as downstream consequences over the coming weeks and months.

The Exposure Window and Real-World Impact

The malicious versions were live on the npm registry for approximately two to three hours — from 00:21 UTC to approximately 03:20 UTC on March 31, 2026 — before detection and removal. Elastic Security Labs filed a GitHub Security Advisory at 01:50 AM UTC and publicly shared early findings to help defenders respond in real time.

Even in that narrow window, the impact was significant. Security firm Huntress observed at least 135 compromised endpoints across all operating systems within its partner base alone. Wiz researchers noted that the malicious versions executed in roughly 3% of affected environments. The blast radius extended well beyond direct Axios users: because Axios is a transitive dependency of countless other packages, the infection propagated through any package that depended on Axios — including WordPress build tooling, Datadog agents, and deep layers of enterprise CI/CD workflows.

Are You Affected? How to Check

If you or your CI/CD system ran npm install between 00:21 and 03:20 UTC on March 31, 2026, treat your environment as potentially compromised until proven otherwise. Use these steps to audit:

Check your package-lock.json or yarn.lock for references to axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1.
Search all node_modules directories and lockfiles for any occurrence of plain-crypto-js — even if the package.json now appears clean, the RAT may already have been executed and persisted independently of npm.
Review network logs, firewall records, and endpoint detection tooling for outbound connections to sfrclak[.]com.
Safe versions to pin to: axios@1.14.0 (last legitimate 1.x release with SLSA provenance) and axios@0.30.3 (last legitimate legacy release).
If compromise is confirmed: isolate the machine from the network immediately, rotate ALL secrets present on that system — AWS keys, GitHub tokens, npm tokens, database credentials, SSH keys — and begin a full incident response process.

How to Harden Your Supply Chain Going Forward

The Axios attack is a forcing function for better open-source dependency security practices. These are the concrete steps every JavaScript developer and engineering team should implement today:

Pin your dependencies: Use exact version pinning in package-lock.json or yarn.lock and always commit those files to version control. Never run npm install without a lockfile in CI.
Use --ignore-scripts in CI: Running npm install --ignore-scripts in your CI/CD pipelines prevents postinstall hooks from executing automatically, neutralizing the primary delivery mechanism used in this attack.
Monitor for unexpected new dependencies: Any update that introduces a new transitive dependency should be reviewed before merging. Tools like Socket Security and StepSecurity can flag anomalous postinstall behavior automatically.
Adopt SLSA provenance verification: The last legitimate axios@1.14.0 release shipped with SLSA provenance. Use tooling that verifies build provenance before a package is consumed in your pipeline.
Use a private npm proxy: Tools like Artifactory, Verdaccio, or GitHub Packages let you cache and serve only approved package versions, preventing your CI from pulling a freshly poisoned release from the public registry.
Rotate tokens regularly and minimize scope: Long-lived, high-privilege npm publish tokens are exactly what state-sponsored attackers target. Rotate them on a schedule, revoke any that are not in active use, and use the minimum required permissions.

Final Thoughts

The Axios supply chain attack is a watershed moment for JavaScript security. A package present in 80% of cloud environments with over 100 million weekly downloads was turned into a weapon — and in a three-hour window, hundreds of developer machines, CI/CD pipelines, and production systems were silently compromised by a cross-platform RAT attributed to a North Korea-linked state actor.

The lesson is unambiguous: trust in the npm registry cannot remain implicit. Every dependency is a potential attack surface. Every maintainer account is a high-value target. The developers and organizations that treated lockfiles, install script restrictions, and dependency monitoring as optional extras are now learning exactly why those controls exist.

Update your Axios version, audit your lockfiles, rotate your credentials, and implement supply chain hardening today — not when the next package gets hit.