TL;DR
On March 31, 2026, attackers compromised the primary maintainer’s npm account for Axios, the most popular JavaScript HTTP client with 83 million weekly downloads. They published malicious versions (1.14.1 and 0.30.4) containing a cross-platform RAT that steals credentials, SSH keys, and cloud tokens from developer machines. Downgrade to Axios 1.14.0 immediately, rotate all secrets, and scan for indicators of compromise on your system.
Introduction
Axios processes more HTTP requests than any other JavaScript library. If you’ve built an API client, tested endpoints, or connected a frontend to a backend in the last five years, you’ve probably used it.
On March 31, 2026, at 00:21 UTC, a threat actor published Axios version 1.14.1 through a hijacked maintainer account. The package looked identical to the legitimate release. The diff was surgical: only package.json changed across 86 files. But that single file injected a phantom dependency called plain-crypto-js that deployed a remote access trojan to every machine running npm install.
The malicious versions stayed live for roughly two to three hours before npm pulled them. Two to three hours across 83 million weekly downloads.
This article breaks down how the attack worked, how to detect if your systems are compromised, and what API teams should change about their dependency management going forward.
How the Axios supply chain attack unfolded
The timeline
The attacker executed this operation with precision across an 18-hour window:
- March 30, 05:57 UTC: A clean decoy package
plain-crypto-js@4.2.0was published to npm. Publishing a “clean” version first gave the package a brief history on the registry, making it look less suspicious. - March 30, 23:59 UTC: The malicious version
plain-crypto-js@4.2.1was published, adding apostinstallhook containing the dropper. - March 31, 00:21 UTC:
axios@1.14.1was released using the compromisedjasonsaaymanaccount. - March 31, 01:00 UTC:
axios@0.30.4followed 39 minutes later, targeting projects pinned to the 0.x branch. - March 31, ~03:15 UTC: npm unpublished both Axios versions after community reports.
- March 31, 04:26 UTC: npm published a security-holder stub for
plain-crypto-jsto prevent republishing.
How the account was compromised
The attacker took over the jasonsaayman npm account, the primary Axios maintainer. They changed the registered email to ifstap@proton.me. The key forensic evidence:
- Legitimate Axios releases use GitHub Actions with npm’s OIDC Trusted Publisher mechanism. The malicious versions lacked OIDC binding entirely.
- No
gitHeadfield appeared in the compromised releases, meaning no corresponding GitHub commits existed. - The attacker used stolen long-lived npm access tokens to publish manually instead of going through CI/CD.
This distinction matters. If your organization publishes npm packages, the absence of OIDC binding and CI/CD provenance on a release is a red flag worth automating checks for.
The dependency injection technique
Here’s what made this attack subtle. The attacker didn’t modify Axios source code. They changed one line in package.json to add plain-crypto-js@^4.2.1 as a runtime dependency. This package was never imported anywhere in the Axios codebase. It existed solely to trigger its postinstall hook during npm install.
Binary analysis confirmed the surgical precision: only package.json differed between the clean 1.14.0 release and the compromised 1.14.1 across all 86 files in the package.
What the malicious payload does
The dropper mechanism
The postinstall hook in plain-crypto-js executed a 4.2 KB obfuscated file called setup.js. It used two layers of obfuscation:
- Layer 1: XOR cipher using a key derived from the string
"OrDeR_7077" - Layer 2: Base64 encoding with character reversal
Once decoded, the dropper identified the host operating system and executed platform-specific payloads.
Platform-specific attack paths
macOS:
Writes AppleScript to /tmp/6202033
Executes via osascript
Downloads payload to /Library/Caches/com.apple.act.mond
Windows:
Copies PowerShell to %PROGRAMDATA%\wt.exe (persistence artifact)
Executes VBScript dropper via cscript
Linux:
Downloads Python RAT to /tmp/ld.py
Executes via nohup python3
All three branches contacted a command-and-control server with platform-specific POST bodies:
- macOS:
packages.npm.org/product0 - Windows:
packages.npm.org/product1 - Linux:
packages.npm.org/product2
RAT capabilities
The deployed remote access trojan supports:
- Arbitrary shell command execution
- File system enumeration and exfiltration
- Process listing and injection
- In-memory binary injection (fileless execution)
- 60-second beacon intervals to C2 infrastructure
In plain terms: the attacker gets full remote control of your development machine. They can read your .env files, steal your API keys, copy your SSH keys, and harvest cloud provider tokens.
Anti-forensics: the self-cleaning payload
After executing, the dropper performed three cleanup steps:
- Deleted
setup.jsitself - Deleted the malicious
package.json - Renamed a pre-staged
package.md(reporting version 4.2.0) topackage.json
This created a deception layer where npm list would report version 4.2.0 instead of the 4.2.1 that executed the payload. A developer checking their dependencies after the fact would see nothing wrong.
Who’s behind this attack
Google Threat Intelligence Group attributed the Axios attack to UNC1069, a suspected North Korean threat actor. The macOS malware exhibits “significant overlap” with WAVESHAPER, a C++ backdoor Mandiant tracked in February 2026.
North Korean state-sponsored groups have deep experience with supply chain attacks. They’ve historically used compromised developer tools to steal cryptocurrency, and this operation follows the same playbook: compromise a widely-used developer tool to gain access to credentials and cloud infrastructure across thousands of organizations.
The sophistication level is notable. The two-stage dependency injection, multi-platform RAT deployment, and anti-forensic cleanup all point to a well-resourced operation. This isn’t a script kiddie dropping a cryptominer. It’s an intelligence operation targeting developer workstations.
How to check if you’re affected
Step 1: Check your Axios version
Run this in every project using Axios:
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
If this returns results, your project installed a compromised version.
Step 2: Check for the malicious dependency
ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"
Even if the dropper cleaned up after itself, the directory’s existence confirms the payload executed.
Step 3: Check for RAT artifacts on your system
macOS:
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null
Linux:
ls -la /tmp/ld.py 2>/dev/null
Windows (PowerShell):
Test-Path "$env:PROGRAMDATA\wt.exe"
Step 4: Check network indicators
Block and scan for connections to:
- C2 domain:
sfrclak.com - C2 IP:
142.11.206.73 - C2 URL:
http://sfrclak.com:8000/6202033
Step 5: Check CI/CD build logs
Review any CI/CD pipeline runs between March 31 00:21 UTC and 03:15 UTC. Any npm install or npm ci run during this window that resolved Axios could have executed the dropper in your build environment.
Immediate remediation steps
If you find any indicators of compromise, treat the affected system as fully compromised. Here’s the priority list:
1. Downgrade Axios immediately
npm install axios@1.14.0
Or for the 0.x branch:
npm install axios@0.30.3
2. Add version overrides to your package.json
Prevent transitive resolution to malicious versions:
{
"overrides": {
"axios": "1.14.0"
}
}
For Yarn:
{
"resolutions": {
"axios": "1.14.0"
}
}
3. Remove the malicious package
rm -rf node_modules/plain-crypto-js
4. Rotate all credentials
If the dropper executed on your machine, assume the following are compromised:
- npm tokens
- AWS/GCP/Azure credentials
- SSH keys
- GitHub tokens
- API keys in
.envfiles - Database credentials
- Any secrets stored in environment variables
Rotate everything. There’s no way to know what the RAT exfiltrated during its active window.
5. Block C2 at the network level
Add to your hosts file or firewall rules:
echo "0.0.0.0 sfrclak.com" | sudo tee -a /etc/hosts
6. If artifacts are found, rebuild the machine
A RAT with shell execution and file system access can modify anything. If you found artifacts from Step 3, don’t trust the system. Rebuild from a known-good state.
Long-term defenses for API development teams
Use lockfiles and pin exact versions
The Axios attack exploited ^ semver ranges. If your package.json says "axios": "^1.14.0", npm resolves the latest compatible version, which was 1.14.1 during the attack window.
{
"dependencies": {
"axios": "1.14.0"
}
}
Pin exact versions. Always commit your package-lock.json or yarn.lock. Run npm ci instead of npm install in CI/CD to enforce lockfile resolution.
Disable postinstall scripts in CI/CD
The entire attack depended on postinstall hooks executing during npm install. You can disable this:
npm ci --ignore-scripts
This breaks some packages that need native compilation. Test your builds first, then selectively allow scripts for packages that need them using .npmrc:
ignore-scripts=true
Audit dependencies regularly
npm audit
npx socket-security/cli audit
Run these in CI/CD as a gate. Any critical or high vulnerability should block the build.
Reduce your HTTP client dependency surface
Here’s the deeper question this attack raises: why does your API testing workflow depend on a third-party HTTP library that can be compromised?
Apidog provides a built-in HTTP client for API testing, debugging, and documentation. You don’t need Axios, node-fetch, or got in your testing stack. The HTTP client is part of the platform, with no third-party dependencies to compromise.
For API testing specifically, moving your HTTP requests into Apidog eliminates the entire attack surface:
- API testing: Use Apidog’s visual test builder instead of writing Axios-based test scripts
- API debugging: Use Apidog’s built-in request inspector instead of custom HTTP client code
- Mock servers: Use Apidog’s smart mock instead of building mock endpoints with Express + Axios
- CI/CD integration: Use Apidog CLI for automated API tests without npm HTTP dependencies
Try Apidog free to see how removing HTTP library dependencies from your API workflow reduces your supply chain risk.
Verify package provenance
npm now supports package provenance through Sigstore. Check if packages you depend on use this:
npm audit signatures
The malicious Axios versions lacked OIDC provenance. Legitimate releases from CI/CD pipelines include cryptographic attestation of their build origin. If a new version appears without provenance, treat it with suspicion.
What this means for the JavaScript ecosystem
The trust model is broken
npm’s trust model depends on maintainer account security. A single compromised credential gives an attacker control over a package that 83 million projects install every week. Two-factor authentication helps, but long-lived access tokens can still be stolen from compromised development environments.
The community is discussing several structural changes:
- Mandatory OIDC publishing: Require all packages above a download threshold to use CI/CD-based publishing with OIDC tokens instead of long-lived credentials.
- Two-person release approval: Require a second maintainer to approve releases for critical packages.
- Runtime permission scoping: Limit what
postinstallscripts can access, similar to Deno’s permission model.
Supply chain attacks aren’t slowing down
This attack hit within days of the RubyGems fracture incident and ongoing PyPI dependency concerns. Package registries across every language ecosystem are under sustained attack. API developers need to think about their dependency tree as an attack surface, not a convenience.
The Reddit discussion captured the sentiment well: “NPM is the biggest weakness of the internet today and it will still cause a giant catastrophe.” Whether or not you agree with the hyperbole, the Axios attack demonstrates the blast radius is real.
Comparison: HTTP client dependency approaches
| Approach | Supply chain risk | Maintenance burden | Testing capability |
|---|---|---|---|
| Axios + custom scripts | High (third-party dependency) | High (version management) | Manual setup required |
| Node.js native fetch | Low (built into runtime) | Low | Limited testing features |
| Apidog built-in client | None (no npm dependency) | None (platform-managed) | Full testing, mocking, docs |
| curl/httpie scripts | Low (system-level tool) | Medium | Limited automation |
FAQ
Is Axios safe to use now?
Yes. Versions 1.14.0 and 0.30.3 are clean. The compromised versions (1.14.1 and 0.30.4) were unpublished within approximately three hours. Verify your installed version with npm list axios and check your lockfile to confirm you’re on a safe version.
How do I know if the RAT ran on my machine?
Check for platform-specific artifacts: /Library/Caches/com.apple.act.mond on macOS, /tmp/ld.py on Linux, or %PROGRAMDATA%\wt.exe on Windows. Also check if node_modules/plain-crypto-js exists in any of your projects. The dropper cleans up after itself, so absence of artifacts doesn’t guarantee you’re safe if you installed the compromised version.
Should I stop using Axios entirely?
Not necessarily. Axios remains a well-maintained library with a strong track record. But this attack should prompt you to evaluate whether you need a third-party HTTP client at all. Node.js 18+ includes native fetch. For API testing, platforms like Apidog provide built-in HTTP clients that eliminate this dependency.
How can I prevent supply chain attacks in my projects?
Pin exact dependency versions, commit lockfiles, run npm ci --ignore-scripts in CI/CD, audit dependencies regularly, verify package provenance with npm audit signatures, and minimize your dependency tree. Consider moving API testing workflows into integrated platforms that don’t rely on npm packages for HTTP communication.
Was this attack related to the Claude Code source leak?
Both events happened on the same day (March 31, 2026), but they’re unrelated. The Axios attack was a deliberate supply chain compromise by a state-sponsored threat actor. The Claude Code leak resulted from a Bun build tool bug that shipped source maps in production. The coincidental timing has fueled discussion about npm registry security overall.
Who was behind the Axios attack?
Google Threat Intelligence Group attributed the attack to UNC1069, a suspected North Korean threat actor. The macOS malware shares significant overlap with WAVESHAPER, a backdoor tracked by Mandiant. North Korean groups have extensive experience with supply chain attacks, typically targeting developer credentials and cryptocurrency infrastructure.
How many developers were affected?
The malicious versions were live for approximately two to three hours. With 83 million weekly downloads, the potential exposure is significant. npm hasn’t published official impact numbers. StepSecurity’s runtime detection confirmed the dropper contacted C2 within 1.1 seconds of npm install starting, before dependency resolution completed.
Can Apidog help prevent supply chain attacks?
Apidog eliminates one major attack vector by providing a built-in HTTP client for API testing, debugging, and documentation. You don’t need to install Axios, node-fetch, or other HTTP libraries in your testing workflow. This reduces your npm dependency surface and removes the risk of compromised HTTP client packages affecting your API development process.
Key takeaways
- The Axios supply chain attack compromised 83M+ weekly downloads through a single stolen maintainer account
- The RAT targets all platforms (macOS, Windows, Linux) and steals credentials, SSH keys, and cloud tokens
- Check your systems immediately using the detection steps above
- Pin exact dependency versions and disable postinstall scripts in CI/CD
- Reduce your HTTP client dependency surface by using built-in tools like Apidog for API testing
- Package registry security is a systemic problem affecting npm, PyPI, and RubyGems
The Axios attack is a wake-up call. Every dependency in your node_modules is a trust decision. Make sure you’re making those decisions deliberately, not by default.
