Axios npm Attack Exposes Critical Flaw in Open-Source Security Model
Compromised maintainer credentials bypassed GitHub protections to inject remote-access trojan into package with 100 million weekly downloads, revealing systemic npm governance failure.
A sophisticated supply-chain attack against axios, the most widely used JavaScript HTTP client library, compromised production builds on March 31, 2026, when threat actors hijacked a maintainer account and published malicious versions containing a cross-platform remote access trojan to over 100 million weekly installations.
Two poisoned releases — axios@1.14.1 and axios@0.30.4 — went live within 39 minutes of each other starting at 00:21 UTC, according to StepSecurity. The malware remained available for approximately two hours before npm removed both versions at 03:29 UTC. During that window, automated build systems across web development, cloud infrastructure, and enterprise applications pulled the compromised packages into production dependency chains.
The attack bypassed GitHub’s CI/CD protections entirely. Legitimate axios releases use OIDC Trusted Publisher workflows via GitHub Actions, generating SLSA provenance attestations that verify builds came from repository source code. The malicious versions carried neither GitHub tags nor provenance signatures — they were pushed directly to npm using a compromised publishing token from maintainer account jasonsaayman, whose recovery email was changed to ifstap@proton.me.
Mar 30, 23:59 UTC
Mar 31, 00:21 UTC
Mar 31, 01:00 UTC
Mar 31, 00:06 UTC
Mar 31, 03:29 UTC
~2 hours
Attack Mechanics: Staged Infrastructure and Platform-Specific Payloads
The operation showed deliberate planning. Threat actors published a malicious dependency called plain-crypto-js@4.2.1 at 23:59 UTC on March 30 — 22 minutes before the first axios release. An earlier clean version (4.2.0) had been staged 18 hours prior at 05:57 UTC, establishing the package name in npm’s registry to avoid suspicion. Both compromised axios versions added plain-crypto-js as a dependency, triggering its postinstall script during package installation.
The script delivered platform-specific second-stage payloads: /Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%wt.exe on Windows, and /tmp/ld.py on Linux. All three contacted a command-and-control server at sfrclak.com:8000, per The Hacker News. The malware used dual-layer obfuscation — base64 encoding wrapped in XOR cipher — and implemented self-erasing routines to evade forensic analysis.
“This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three payloads were pre-built for three operating systems. Both release branches were poisoned within 39 minutes of each other.”
— Ashish Kurmi, Security Researcher at StepSecurity
Socket‘s automated malware detection flagged the malicious package within six minutes of publication at 00:05:41 UTC. The system identified suspicious postinstall scripts and network activity patterns that deviated from axios’s historical behavior. Two secondary packages — @shadanai/openclaw and @qqbrowser/openclaw-qbot — were also identified vendoring either the compromised axios versions or plain-crypto-js directly.
Systemic Vulnerabilities in npm Publishing Model
The incident exposes a fundamental design flaw in npm’s security architecture. GitHub repository protections — branch rules, required reviews, signed commits, CI/CD workflows — become irrelevant when attackers possess valid npm publishing tokens. The registry treats token authentication as the sole authorization boundary, allowing manual CLI publishes that skip all upstream safeguards.
Axios is the third major npm supply chain attack in six months. The September 2025 Shai-Hulud worm poisoned 500+ packages, while the qix compromise targeted 18 packages with 2.6 billion combined weekly downloads. In 2025, over 99% of all open-source malware occurred on npm, with attackers publishing 454,648 new malicious packages across registries processing 9.8 trillion downloads.
Email changes on compromised maintainer accounts occur without verification. Once attackers control the recovery email, legitimate maintainers lose the ability to regain access through standard password reset flows. The axios maintainer account remains locked at time of publication, per Aikido Security.
Over 2 million packages depend on axios across web frameworks, cloud infrastructure tooling, and enterprise applications. The blast radius extends beyond direct dependencies — transitive dependency chains mean organizations using React, Vue, Angular, or Next.js applications likely installed axios indirectly through UI component libraries, API clients, or build tooling.
- Check installed axios versions: npm list axios or yarn why axios
- Downgrade to safe releases: axios@1.14.0 (1.x branch) or axios@0.30.3 (0.x branch)
- Search for RAT artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%wt.exe (Windows), /tmp/ld.py (Linux)
- Review network logs for connections to sfrclak.com:8000
- Audit lockfiles (package-lock.json, yarn.lock) for plain-crypto-js@4.2.1
- Rotate secrets and API keys on systems that ran automated builds during the exposure window
Detection and Response Infrastructure
Third-party security tooling proved more effective than npm’s native defenses. Socket’s behavioral analysis caught the attack in real-time, while SafeDep automated SLSA provenance verification would have blocked installation of unsigned releases. Both operate independently of npm’s infrastructure.
npm has announced plans for mandatory FIDO 2FA, default disabling of legacy publishing tokens, and enforced Trusted Publisher workflows. None were implemented at the time of the axios compromise. The registry’s current security model relies on maintainer diligence rather than platform-enforced controls — a design choice that scales poorly as attack sophistication increases.
Wiz assigned CVE tracking identifiers GHSA-fw8c-xr5c-95f9 and MAL-2026-2306 to the incident. The malware’s command-and-control infrastructure remained operational as of 06:00 UTC on March 31, suggesting threat actors may attempt additional compromises using the same tooling.
What to Watch
The 18-hour staging period and pre-built cross-platform payloads indicate professional threat actors, not opportunistic script kiddies. Whether this represents state-sponsored reconnaissance, ransomware group positioning, or intellectual property theft remains unclear. Organizations should monitor for unusual outbound connections from development environments and CI/CD infrastructure — the typical targets of supply-chain reconnaissance.
npm’s response timeline will set precedent. Mandatory 2FA enforcement affects 2.5 million package maintainers, many managing hobby projects without security operations support. Balancing accessibility against security in open-source ecosystems remains unsolved, and axios demonstrates the cost of deferring hard decisions. The window for incremental fixes may be closing.