Axios NPM Supply Chain Attack - Malicious Releases Detected
Basically, hackers took control of a package used by many developers to spread harmful software.
A supply chain attack compromised the npm account of axios, leading to malicious releases. This incident affects numerous environments, urging immediate audits and security measures. Stay alert to protect your development workflows.
The Threat
On March 31, 2026, a significant supply chain attack was reported involving the npm account of an axios maintainer. An unknown threat actor compromised this account and published two malicious versions of the axios package, specifically v1.14.1 and v0.30.4. These versions included a dangerous dependency on a trojanized package called plain-crypto-js. Although the malicious packages were removed shortly after their release, the rapid adoption of axios—used in about 80% of cloud and code environments—led to widespread exposure. Reports indicate that these compromised versions executed in approximately 3% of affected environments.
The malicious packages contained a dropper script that downloaded and executed platform-specific payloads from a command-and-control (C2) server. This attack exemplifies the vulnerabilities inherent in supply chain security, where a single compromised account can lead to extensive damage across multiple organizations.
Who's Behind It
The attack was orchestrated by an unknown threat actor who gained access to the maintainer's npm account. Once inside, they published the malicious versions of axios, which quickly spread due to the package's popularity. The malicious payloads varied depending on the operating system, with distinct implementations for macOS, Windows, and Linux. Each variant was designed to establish remote access and execute commands from the C2 server.
The attacker’s choice of a widely used package like axios highlights a common tactic in supply chain attacks: targeting popular tools to maximize impact. The use of a trojanized dependency further complicates detection efforts, as it can blend in with legitimate software updates.
Tactics & Techniques
The malicious axios packages introduced a dependency on plain-crypto-js, which acted as a trojan. This trojan facilitated the download of additional payloads tailored for each operating system. For instance, the macOS version was a compiled binary capable of self-signing, while the Windows variant used a PowerShell script to maintain persistence. The Linux payload was delivered as a Python script.
Organizations that downloaded these malicious versions should be vigilant. The payloads not only executed commands but also communicated with the C2 server every 60 seconds, transmitting system information and awaiting further instructions. This behavior can lead to significant data breaches if not addressed promptly.
Defensive Measures
Organizations are urged to take immediate action in response to this incident. Here are key steps to mitigate the risk:
- Audit axios usage: Identify if the affected versions were downloaded or executed in your environment. Remove any malicious artifacts from your systems.
- Rotate exposed credentials: If there is any indication of execution, assume that credentials may have been compromised. Scan for secrets and rotate them accordingly.
- Investigate potential compromise paths: Review build pipelines and developer machines for signs of unauthorized access.
- Monitor for suspicious activity: Track outbound connections to the C2 server and analyze logs for any unusual behavior.
By implementing these measures, organizations can better protect themselves against similar supply chain attacks in the future.