CP
cyberpings
Threat IntelHIGH

Supply Chain Attack - Axios npm Package Compromised

Featured image for Supply Chain Attack - Axios npm Package Compromised
AWArctic Wolf Blog
Axiosnpmsupply chain attackremote access trojanplain-crypto-js
🎯

Basically, hackers tricked a popular software library into spreading malware.

Quick Summary

A major supply chain attack has compromised the Axios npm package, affecting millions of applications. Users are at risk due to malicious versions published in a short time frame. Immediate action is needed to secure systems and prevent exploitation.

What Happened

On March 31, 2026, the widely used Axios npm package was compromised in a supply chain attack. This JavaScript library, essential for making HTTP/S requests, is included as a dependency in millions of applications. Between approximately 00:21 and 03:30 UTC, attackers published malicious versions (axios@1.14.1 and axios@0.30.4) using a compromised maintainer account. These versions included a harmful dependency, plain-crypto-js@4.2.1, which contained a postinstall script functioning as a remote access trojan (RAT).

Once installed, the script executed automatically, connecting to a command-and-control server to deploy malicious payloads on various operating systems, including macOS, Windows, and Linux. The attackers had pre-staged their efforts by creating a throwaway npm account and publishing a decoy package to lend credibility to their malicious versions.

Who's Affected

The impact of this attack is extensive due to the popularity of the Axios library. Organizations that utilize npm packages in their CI/CD pipelines may have inadvertently pulled these malicious versions into their build environments during the three-hour window. Even systems that did not directly install Axios could be affected if other packages depended on the compromised versions, highlighting a significant downstream risk across the modern JavaScript ecosystem. This incident follows closely on the heels of the recent TeamPCP supply chain campaign, although there is currently no evidence linking the two events.

Tactics & Techniques

The attackers employed a multi-step approach to execute their plan. They created a legitimate-looking decoy package to mask their malicious intent, which allowed them to publish the harmful versions without raising immediate suspicion. The use of a remote access trojan indicates a sophisticated level of planning, as it allows attackers to maintain control over compromised systems. This method of attack underscores the vulnerabilities inherent in software supply chains, where a single compromised package can have far-reaching implications.

Defensive Measures

To mitigate the risks associated with this incident, organizations should take immediate action. First, revert to known safe versions of Axios: axios@1.14.0 for 1.x users or axios@0.30.3 for 0.x users. Ensure that all packages are sourced from the official npm registry and verify their integrity using npm's built-in package hashes. Additionally, clear caches, lockfiles, and any CI/CD artifacts that may have pulled the malicious versions, followed by a complete reinstallation of dependencies in a clean environment.

Lastly, all credentials that may have been exposed during this compromise should be rotated immediately. By taking these steps, organizations can significantly reduce their exposure to this threat and enhance their overall security posture.

🔒 Pro insight: This incident highlights the critical need for robust supply chain security measures, especially for widely used libraries in development environments.

Original article from

AWArctic Wolf Blog· Andres Ramos
Read Full Article

Share

Related Pings

HIGHThreat Intel

North Korea-Nexus Threat Actor Compromises Axios NPM Package

A North Korea-linked threat actor has compromised the axios NPM package. This attack affects millions of users and highlights serious supply chain vulnerabilities. Immediate action is required to secure affected systems.

Mandiant Threat Intel·
HIGHThreat Intel

macOS Feature - Prevents ClickFix Compromise Attacks

Apple's latest macOS feature helps prevent ClickFix attacks by alerting users before executing risky commands. This is vital for protecting user data from phishing threats. Stay safe and informed with this new security measure.

SC Media·
HIGHThreat Intel

LiteLLM Supply Chain Compromise - TeamPCP's Attack Unveiled

The Threat The recent compromise of LiteLLM, a widely-used AI proxy package, has revealed a significant threat in the cybersecurity landscape. Orchestrated by the criminal group TeamPCP, this multi-ecosystem supply chain attack is one of the most sophisticated documented to date. The attack exploited vulnerabilities in developer tooling and targeted LiteLLM, which serves as a gateway to various LLM

Trend Micro Research·
HIGHThreat Intel

Axios Trojans - Major npm Supply Chain Attack Uncovered

The Axios npm library was compromised in a major supply chain attack, affecting millions of applications. Organizations are urged to audit their dependencies and enhance security measures.

CSO Online·
HIGHThreat Intel

TeamPCP’s Supply Chain Attack - Weaponizing Security Tools

TeamPCP has launched a multi-stage supply chain attack on trusted security tools. This breach has exposed sensitive data from numerous organizations, raising serious security concerns. Organizations must act quickly to secure their infrastructures and protect against further exploitation.

Palo Alto Unit 42·
HIGHThreat Intel

Iran Threatens Major US Tech Firms with Attacks Starting April 1

Iran's IRGC has threatened to attack major US tech firms like Apple and Google starting April 1. This escalation could severely disrupt operations and impact global tech infrastructure. Companies are urged to prepare for potential cyberattacks and physical threats as tensions rise.

Wired Security·