Axios HTTP Library Compromised in Sophisticated npm Supply Chain Attack
Malicious versions of JavaScript's most-used HTTP client deployed cross-platform RAT to 83 million weekly downloads via hijacked maintainer account.
Two versions of axios—the JavaScript HTTP library with 83 million weekly npm downloads—were compromised on March 31, 2026, deploying a cross-platform remote access trojan through a malicious dependency injected via stolen maintainer credentials.
The attack targeted axios versions 1.14.1 and 0.30.4, published within 39 minutes of each other through the compromised account of lead maintainer jasonsaayman. Both releases embedded a malicious dependency, plain-crypto-js@4.2.1, which executed platform-specific payloads for macOS, Windows, and Linux systems before self-destructing to evade forensic analysis. The Malware contacted a command and control server at sfrclak.com:8000, enabling credential theft, remote code execution, and lateral movement across enterprise infrastructure.
Pre-Staged Infrastructure
The sophistication lies in the preparation. The attacker published plain-crypto-js@4.2.0—a clean decoy version—18 hours before releasing the malicious 4.2.1 variant, according to Socket. The malicious version contained pre-built payloads for three operating systems: a Python-based backdoor for Linux deposited at /tmp/ld.py, a Windows executable at %PROGRAMDATA%wt.exe, and a macOS binary masquerading as a system daemon at /Library/Caches/com.apple.act.mond.
After execution, the malware deleted its own setup.js file, removed the malicious package.json, and renamed a clean package.md file to package.json—a forensic evasion technique designed to leave no trace in installed node_modules directories. The command and control server at IP address 142.11.206.73 remained active as of late March 31, per iTnews.
“This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct.”
— Ashish Kurmi, Security Researcher
Detection Versus Official Tooling
Socket’s automated malware detection flagged plain-crypto-js@4.2.1 within six minutes of publication at 00:05 UTC on March 31. Official npm security tooling provided no alert. The compromise succeeded despite axios using GitHub’s trusted publishing workflow—the attacker bypassed CI/CD safeguards by using a long-lived npm token associated with the maintainer account, according to StepSecurity.
The attacker changed the maintainer account email from its legitimate address to ifstap@proton.me without triggering verification. The malicious plain-crypto-js package was published by a separate account using nrwise@proton.me, per The Hacker News. Both malicious axios versions were unpublished by npm within hours, but not before achieving distribution across enterprise dependency chains.
This represents the third major npm supply chain attack in six months. The Shai-Hulud worm compromised over 500 packages in September 2025, while a separate campaign targeting the qix package affected repositories with 2.6 billion weekly downloads. The axios compromise surpasses both in sophistication due to its pre-staged infrastructure, multi-platform payloads, and self-erasing forensic evasion.
Transitive Exposure Surface
Direct axios installations represent a fraction of the exposure. The library serves as a foundational HTTP client in React and Vue frontends, Node.js backends, CI/CD automation scripts, and fintech infrastructure. Any service that performs HTTP requests in JavaScript likely depends on axios directly or transitively through framework dependencies.
Two additional packages were identified distributing identical malware: @shadanai/openclaw (versions 2026.3.28-2, 2026.3.28-3, 2026.3.31-1, 2026.3.31-2) and @qqbrowser/openclaw-qbot@0.0.130. Both remained live on npm as of March 31 evening UTC, according to The Hacker News. The common naming pattern—openclaw in variant forms—suggests coordinated infrastructure deployed in parallel with the axios campaign.
- Pin axios to version 1.14.0 or 0.30.3 in package.json and regenerate lockfiles
- Audit package-lock.json or yarn.lock for plain-crypto-js@4.2.1 in transitive dependencies
- Scan for malicious artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%wt.exe (Windows), /tmp/ld.py (Linux)
- Block outbound connections to 142.11.206.73 and sfrclak.com at network perimeter
- Rotate credentials for any service with axios in production dependency chains
Token-Based Trust Model
The attack exploits npm’s reliance on maintainer accounts as single points of failure. Email changes require no secondary verification. Long-lived tokens bypass modern CI/CD protections like GitHub’s trusted publishing. The axios maintainer team acknowledged the compromise in GitHub issue #10604, stating they are investigating how the account was accessed and working to secure the release process. A CVE identifier is pending assignment as of March 31.
The Open Source Malware threat database characterised the campaign as “one of the most successful software supply chain attacks ever,” per iTnews. The assessment reflects not just technical execution but the structural vulnerability: 83 million weekly downloads compromised through a single stolen credential, with detection dependent entirely on third-party commercial scanners rather than npm’s native security infrastructure.
What to Watch
Monitor for CVE assignment in the National Vulnerability Database—CVE-2026-xxxxx will trigger automated security scans across enterprise software composition analysis tools. The command and control server at 142.11.206.73 remains active; any outbound connections indicate compromise requiring immediate incident response. Check for secondary packages (@shadanai/openclaw, @qqbrowser/openclaw-qbot) in transitive dependency trees—these were not unpublished as rapidly as the axios versions.
The 48-72 hour window for remediation closes as exploit frameworks incorporate the axios compromise into automated toolkits. Organisations with axios in CI/CD pipelines face lateral movement risk: compromised build servers enable supply chain attacks against downstream customers. The pattern repeats the 2025 qix and Shai-Hulud campaigns—npm’s token model remains unchanged, and the next high-value package is already in attacker reconnaissance.