Supply Chain Attack - axios npm Package Compromised
Significant risk β action recommended within 24-48 hours
Basically, hackers took over a popular software package to install malware on many computers.
A supply chain attack has compromised the axios npm package, affecting over 100 devices. This incident raises major security concerns as attackers delivered a Remote Access Trojan. Organizations must act quickly to audit and secure their systems.
What Happened
On March 31, 2026, a significant supply chain attack targeted the widely used axios npm package. An attacker compromised the npm credentials of the lead maintainer, allowing them to publish two malicious versions: axios@1.14.1 and axios@0.30.4. These versions included a hidden dependency, plain-crypto-js@4.2.1, which executed a Remote Access Trojan (RAT) upon installation. This attack impacted countless systems, as axios is integral to many JavaScript applications.
Who's Affected
The attack potentially affected any environment that executed npm install for the compromised versions during a critical three-hour window. Huntress observed at least 135 endpoints across various operating systems contacting the attacker's command-and-control infrastructure. Given axios's popularity, the number of impacted users could be much higher.
How It Works
The malicious package introduced a post-install script that triggered the RAT installation without user interaction. The RAT targeted macOS, Windows, and Linux systems, allowing attackers to gain control over compromised devices. The attack was executed in a highly coordinated manner, with the malicious versions published during off-peak hours to minimize detection.
Signs of Infection
Indicators of compromise include unusual network activity, especially connections to the domains associated with the attack. Systems that installed the affected axios versions may exhibit signs of unauthorized access or data exfiltration. Users should be vigilant for unexpected behavior on their machines.
How to Protect Yourself
Organizations must audit their dependencies and check for installations of axios@1.14.1 or axios@0.30.4. If found, treat those systems as compromised. Key remediation steps include:
- Rotate all credentials used on affected systems.
- Rebuild compromised systems to eliminate any remnants of the RAT.
- Monitor network traffic for any unusual connections.
- Educate teams about secure coding practices and dependency management.
Conclusion
This incident highlights the vulnerabilities inherent in supply chain management for software development. As attackers increasingly target popular libraries, developers must prioritize security and remain vigilant against such threats. The axios npm attack serves as a critical reminder of the need for robust security measures in the open-source ecosystem.
π How to Check If You're Affected
- 1.Audit your npm dependencies for axios@1.14.1 or axios@0.30.4.
- 2.Monitor network traffic for connections to known malicious domains.
- 3.Check for unusual processes or scripts running on affected systems.
πΊοΈ MITRE ATT&CK Techniques
π Pro insight: This incident underscores the risks of supply chain vulnerabilities in open-source dependencies, necessitating stricter security protocols for package management.