If you installed axios@1.14.1 or axios@0.30.4 between March 31 00:21 UTC and 03:15 UTC, your system may be compromised. Check for the file-system artifacts listed below and rotate all credentials on affected machines immediately.
What Happened
On March 31, 2026, attackers published two malicious versions of the axios npm package: 1.14.1 (tagged latest) and 0.30.4 (tagged legacy). Both versions introduced a new dependency on plain-crypto-js, a purpose-built malicious package that served as a cross-platform RAT dropper.
The attack was made possible by compromising the npm credentials of jasonsaayman, the lead axios maintainer, through a sophisticated social engineering campaign. The attacker impersonated a company founder, lured the maintainer into a fake Slack workspace, moved the conversation to a Microsoft Teams call with multiple apparent participants, and then prompted him to install what appeared to be a missing Teams component. That component was malware that gave the attacker full control of his machine, including npm authentication tokens, bypassing 2FA entirely.
Axios has roughly 100 million weekly downloads and 174,000 dependent npm packages, making this one of the highest-impact supply chain compromises in npm history. The malicious versions were live for approximately 3 hours before removal.
The malicious code was not in axios itself. It was hidden inside a transitive dependency (plain-crypto-js) that executed via a postinstall hook. CVE-based scanners had no advisory to match against. Only behavioral analysis of install scripts and dependency injection patterns could catch this in real time.
Timeline of Events
- ~2 weeks before Mar 31 Social engineering campaign targeting maintainer jasonsaayman begins. Attacker impersonates a company founder via cloned identity.
-
Mar 30, 05:57 UTC
plain-crypto-js@4.2.0published to npm. Clean version, building registry history to appear legitimate. -
Mar 30, 23:59 UTC
plain-crypto-js@4.2.1published with maliciouspostinstallRAT dropper insetup.js. -
Mar 31, 00:05 UTC
Socket automated detection flags
plain-crypto-jsas malicious, 6 minutes after publish. -
Mar 31, 00:21 UTC
axios@1.14.1 published, tagged
latest, withplain-crypto-js@^4.2.1as a dependency. -
Mar 31, ~01:00 UTC
axios@0.30.4 published, tagged
legacy, with the same malicious dependency. Community members begin filing GitHub Issue #10604. - Mar 31, 01:38 UTC Axios collaborator DigitalBrainJS opens deprecation PR to flag compromised versions.
- Mar 31, 03:15 UTC Malicious axios versions removed from npm. Total exposure window: ~3 hours.
-
Mar 31, 03:29 UTC
plain-crypto-jsremoved from npm registry. - Apr 1 Microsoft Threat Intelligence publishes attribution blog linking the attack to Sapphire Sleet (North Korean state actor).
- Apr 20 CISA issues formal advisory on the axios supply chain compromise.
The Payload: Cross-Platform RAT
The plain-crypto-js package contained a single postinstall hook that ran setup.js. The dropper used reversed Base64 encoding with padding character substitution and XOR encryption (key: OrDeR_7077) to evade static analysis. After execution, it deleted itself and replaced its own package.json with a clean version to evade forensic examination.
The dropper identified the target operating system and fetched a platform-specific second-stage payload from the C2 server:
macOS
Payload dropped to /Library/Caches/com.apple.act.mond, disguised as an Apple daemon. This was WAVESHAPER, a Mach-O binary RAT that uses AppleScript for execution. It beacons to C2 every 60 seconds and supports code injection, shell commands, filesystem enumeration, and process termination.
Windows
A VBScript downloader (system.bat) copies PowerShell to C:\ProgramData\wt.exe. The PowerShell RAT establishes registry persistence at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate and beacons to C2 for command-and-control instructions.
Linux
A Python RAT deployed to /tmp/ld.py and spawned as an orphaned background process to survive session termination.
Indicators of Compromise
RAT Payload Hashes
| Platform | SHA-256 | Context |
|---|---|---|
| macOS | 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a |
WAVESHAPER (com.apple.act.mond) |
| Windows | 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 |
PowerShell RAT (6202033.ps1) |
| Linux | fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf |
Python RAT (ld.py) |
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| C2 Domain | sfrclak[.]com |
Primary command-and-control server |
| C2 IP | 142.11.206.73 |
Hostwinds AS54290, port 8000 |
| User-Agent | mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) |
Static UA string used by all RAT variants |
File System Artifacts
| Platform | Path | Context |
|---|---|---|
| All | node_modules/plain-crypto-js/setup.js |
Dropper script (self-deletes after execution) |
| macOS | /Library/Caches/com.apple.act.mond |
WAVESHAPER binary disguised as Apple daemon |
| Windows | C:\ProgramData\system.bat |
VBScript downloader (Stage 1) |
| Windows | C:\ProgramData\wt.exe |
Renamed PowerShell binary for persistence |
| Windows | HKCU\...\Run\MicrosoftUpdate |
Registry persistence key |
| Linux | /tmp/ld.py |
Python RAT (orphaned process) |
1. Check your package-lock.json or yarn.lock for axios@1.14.1 or axios@0.30.4.
2. Search for plain-crypto-js in your node_modules directory.
3. Check for file system artifacts listed above on all machines that ran npm install during the exposure window (Mar 31, 00:21-03:15 UTC).
4. Search network logs for connections to sfrclak[.]com or 142.11.206.73 on port 8000.
5. If any indicators are found, treat the machine as fully compromised. Rotate all credentials, API keys, and tokens that were accessible from the affected system.
Supply-Chain Risk Analysis
MITRE ATT&CK Mapping
This attack maps to multiple MITRE ATT&CK techniques across the kill chain:
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain - Malicious code injected via compromised npm package maintainer account.
- T1566.003 - Phishing: Spearphishing via Service - Maintainer targeted via fake Slack workspace and Teams meeting to deliver initial RAT.
- T1059.001 - Command and Scripting Interpreter: PowerShell - Windows payload uses PowerShell for RAT functionality.
- T1059.006 - Command and Scripting Interpreter: Python - Linux payload is a Python RAT.
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys - Windows persistence via Run key.
- T1036.005 - Masquerading: Match Legitimate Name or Location - macOS binary disguised as Apple daemon (
com.apple.act.mond). - T1140 - Deobfuscate/Decode Files or Information - Payload uses reversed Base64 + XOR with key
OrDeR_7077. - T1071.001 - Application Layer Protocol: Web Protocols - C2 communication over HTTP port 8000.
Attribution
Multiple threat intelligence teams have attributed this attack to North Korean state-sponsored actors:
- Elastic Security Labs identified significant overlap between the macOS payload and WAVESHAPER, a backdoor tracked by Mandiant and attributed to UNC1069, a DPRK-linked threat cluster.
- Microsoft Threat Intelligence published an attribution blog on April 1, 2026, linking the compromise to a North Korean state actor.
- BleepingComputer reported connections to the BlueNoroff subgroup of the Lazarus Group.
Attribution confidence is HIGH based on the WAVESHAPER malware lineage, identical User-Agent strings across multiple campaigns, and overlapping Hostwinds infrastructure.
How CyberXYZ Detects This Class of Attack
Traditional SCA tools rely on published CVEs and advisories. In this case, no CVE existed during the 3-hour exposure window. By the time advisories were published, the RAT had already been deployed.
CyberXYZ's detection engine operates at the registry layer, monitoring for behavioral anomalies in real time. When a trusted package like axios suddenly introduces an unknown dependency, the engine flags it instantly. The CyberXYZ proxy, which sits between the developer and the registry, blocks the malicious tarball before it ever reaches node_modules. The package simply does not install.
Combined with downstream dependency graph analysis, every affected consumer is identified and notified within minutes. This attack would have been caught and blocked automatically at the proxy, without waiting for a human to file an advisory.
Recommended Actions
Immediate
- Audit all systems for the file system artifacts and network IOCs listed above.
- Pin axios to a known-good version (1.14.0 or 1.13.x) in all lockfiles.
- Rotate all credentials, tokens, and SSH keys on any machine that installed the affected versions.
- Block C2 domain
sfrclak[.]comand IP142.11.206.73at the network perimeter.
Short-Term
- Deploy a registry proxy that blocks packages with known malicious install scripts.
- Enable npm audit signatures to verify package provenance.
- Review CI/CD pipelines for any builds that ran during the 3-hour exposure window.
Long-Term
- Adopt a supply-chain security platform with real-time dependency injection detection (Signal A) and behavioral analysis.
- Implement lockfile-only installs in CI/CD to prevent pulling unexpected new versions.
- Monitor high-impact packages (Tier-1) for maintainer account changes and unusual publish patterns.
References
- Socket Research Team, Supply Chain Attack on Axios
- Snyk Security, Axios npm Package Compromised
- Microsoft Threat Intelligence, Mitigating the Axios npm Supply Chain Compromise
- Google Cloud / GTIG, North Korea-Nexus Threat Actor Compromises Axios NPM Package
- Elastic Security Labs, Inside the Axios Supply Chain Compromise
- BleepingComputer, Hackers Compromise Axios npm Package
- CISA, Supply Chain Compromise Impacts Axios
- GitHub Advisory, GHSA-fw8c-xr5c-95f9
- CyberXYZ Security Team, CyberXYZ Analysis