Artificial intelligence

Supply Chain Attack: Axios Fed Up. Here’s Exactly What Happened and What We Did.

Photo of ocopd ocopd Send an email 6 hours ago
0 4 5 minutes read
Supply Chain Attack: Axios Fed Up. Here’s Exactly What Happened and What We Did.

A supply chain attack has silently installed a remote access trojan on developer machines around the world. We got you on our stack in a few hours – here’s our full answer, and what you need to do now.

  • axios@1.14.1 and axios@0.30.4 were published with a hacked maintainer account on npm
  • They silently install plain-crypto-js@4.2.1, a RAT dropper that reveals your secrets.
  • Malicious versions were live for about 2 hours on March 31, 2026 UTC
  • Downgrade to axios@1.14.0 or axios@0.30.3 immediately and rotate all credentials
  • We tested every project in our company, notified customers, and started a full rotation of verification

What really happened

On March 31, 2026, attackers published two poisoned versions of axios – one of the most downloaded npm packages in the world, with more than 100 million weekly installations – in the npm registry.

This was not a typosquat or a rogue fork. The attacker you stole the npm account of one of the main axios keepers. They changed the registered email to an anonymous ProtonMail address and manually pushed the malicious release via the npm CLI – completely bypassing the project’s normal GitHub Actions CI/CD pipeline. There are no corresponding GitHub tags. There are no SLSA guarantees. No source code changes. The only change in the entire package was one new line package.json: dependence on plain-crypto-js@4.2.1.

What makes this attack so bad

No axios source code is touched. Traditional differential code reviews won’t catch you. The attack was invisible unless you were checking for new, unexpected dependencies.

Timeline of the attack

  • March 30, 2026 — 05:57 UTC

The attacker publishes plain-crypto-js@4.2.0clean copy of the official crypto-js library. Zero malicious code. Objective: build a publishing history to fool automatic scanners.

  • March 30, 2026 — 23:59 UTC

Cruel plain-crypto-js@4.2.1 published. Contains an obscure RAT dropper setup.js. Socket auto-detection marks within 6 minutes.

  • March 31, 2026 — 00:21 UTC

axios@1.14.1 published with a vulnerable guardian account. An injection plain-crypto-js@4.2.1 such as runtime dependence.

  • March 31, 2026 — 01:00 UTC

axios@0.30.4 published. Both the 1.x and 0.x branches are poisoned within 39 minutes of each other — increasing the blast radius.

  • March 31, 2026 — 03:29 UTC

Malicious versions were removed from npm following the disclosure of StepSecurity and Socket. But whoever ran npm install in that 3 hour window it may be vulnerable.

The 18-hour head begins to clean clean plain-crypto-js@4.2.0 it’s intentional: most automatic security scanners look for new packages that don’t have a release history. When the malicious version came down, the account looked legitimate.

What the malware does

When npm install running, npm resolves dependency tree, pull plain-crypto-js@4.2.1and run on its own postinstall hook: node setup.js. That’s all. That is the time to compromise.

A dropper in the middle setup.js uses two layers of obfuscation – reversed Base64 instead of padding, followed by an XOR cipher – before reaching the C2 server at sfrclak[.]com:8000 (IP: 142.11.206.73) to download a platform-specific second-tier RAT.

After execution, it covers its tracks: deletes itself, deletes the file package.json which contains the postinstall hook, and replaces it with a clean decoy. Testing node_modules/plain-crypto-js after that you look completely innocent – unless you know the folder shouldn’t exist at all.

an artifact of macOSt

/Library/Caches/com.apple.act.mond

An artifact of Linux

/tmp/ld.py

Windows artifact

%PROGRAMDATA%wt.exe

C2 indicators of compatibility

Block and inspect outgoing links to sfrclak[.]com and IP142.11.206.73on port 8000. If any machine shows this traffic in the network logs, consider a full compromise.

Who is at risk

The risk is highest if any of the following are active in your area between 00:21 UTC and 03:29 UTC on March 31, 2026:

  • CI/CD pipelines do not have dependency versions and they work npm install in a plan or commitment
  • Engineers running npm install or npm update in that window
  • Projects using scope of care (^1.14.0 or ^0.30.0) in package.json — these automatically pull the latest min/patch
  • Anyone who pulls @shadanai/openclaw or @qqbrowser/openclaw-qbot@0.0.130 – the second packages sell the same payment load

If your lock file was created before the malicious versions were published and your installation did not update, you are not affected. But make sure before taking.

How we responded to our company

Our response to the incident, step by step

Step 1

Quick search for all projects. We reached out to all the technology leaders at the time of the warning strike. The question was clear: check the axios versions in all the projects you currently have – use them cat package-lock.json | grep axios or npm list axios then report. There is no exception, no “we’ll get to that later.”

Step 2

Check for malicious dependencies. Technology leaders have also been asked to run npm list plain-crypto-js for every project and every dev machine running. Any output at all = affected.

Step 3

Client notice — before amendment. We contact our clients continuously. We told them what happened, what we were testing, what the risk window was, and what we were doing. First of all. This is important for reliability, and in some cases contractually required.

Step 4

Patch, then build. Affected projects have been downgraded axios@1.14.0 (in 1.x) or axios@0.30.3 (for 0.x), updated lock files, plain-crypto-js directory manually removed from node_modules, then clean reinstall with npm install --ignore-scripts. It is only after a clean construction that is guaranteed that we promote in any area.

Step 5

Verification rotation of any equipment that may be exposed. Any dev machine or CI runner restarted npm install in crash window: all .env values, AWS keys, npm tokens, SSH keys, and CI secrets are rotated immediately. Don’t think you’re safe — go around anyway.

Step 6

Network log inspection. Network logs are inspected for any outgoing connections sfrclak.com or 142.11.206.73. It found nothing – but the test was non-negotiable.

Your maintenance checklist

1.Check the entire project for the affected version

Run npm list axios or grep the lock file. Any project showing 1.14.1 or 0.30.4 needs immediate action.

2.Search for malicious dependencies

npm list plain-crypto-js – if something prints (except empty), the dropper has started.

3.Uninstall and reinstall clean

npm install axios@1.14.0 (or 0.30.3). Then npm install --ignore-scripts preventing postinstall scripts from running.

4.Check RAT files on every machine

macOS:ls /Library/Caches/com.apple.act.mond Linux: ls /tmp/ld.py ·Windows: Test-Path "$env:ProgramDatawt.exe"

5.Rotate all warranties on affected machines

All .env secrets, AWS/GCP/Azure keys, npm tokens, SSH keys, CI secrets. Don’t wait. Rotate even if you are not sure.

6. Audit network logs for C2 communication

Block and scan sfrclak[.]com again 142.11.206.73:8000. Any hit = full machine compromise assumed.

The following prevention

This attack worked because open source supply chain trust is transparent. The package published under the guardian account appears to be legitimate. We need to break that mindset once and for all.

Harden your CI/CD now

Always run npm install --ignore-scripts in CI areas. This prevents post-installation scripts — the exact method used to implement this RAT. With production lock files, commit and test them – never rely on floating ranges ^1.14.0 at very high altitudes. Consider a tool like Socket, Snyk, or StepSecurity for real-time supply chain monitoring.

You need npm accounts with publishing rights to use MFA hardware — not TOTP — and check the sanity of your npm cluster’s token. Long-lived primitive tokens (potential attack vector here) should be rotated to granular automation tokens with limited scope.

A final thought

Supply chain attacks are never ending. The axios incident follows the same playbook used against the Chalk, Debug, and Shai-Hulud npm worms in late 2025. Pattern: compromise the maintainer’s account, publish a toxic version, exploit the ecosystem’s full trust in registered packages.

The only real defense is layered: pin versions, verify origin, block postinstall scripts in CI, monitor unexpected new dependencies, and have an incident response plan in place before you need it. We had ours. That’s why we were able to move quickly.

If you found this helpful, share it with your team leaders. People who need this don’t always read security blogs — they build features and may not even know their own npm install this morning the RAT went down.

Photo of ocopd ocopd Send an email 6 hours ago
0 4 5 minutes read
Photo of ocopd

ocopd

Related Articles

Local AI: Why Multilingual AI Still Needs Subject Matter Experts

Local AI: Why Multilingual AI Still Needs Subject Matter Experts

12 hours ago
Alibaba Qwen Team Releases Qwen3.5 Omni: A Native Multimodal Model for Text, Audio, Video, and Real-Time Interaction

Alibaba Qwen Team Releases Qwen3.5 Omni: A Native Multimodal Model for Text, Audio, Video, and Real-Time Interaction

13 hours ago
Microsoft AI Releases Harrier-OSS-v1: A New Family of Multilingual Embedding Models Beats SOTA in Multilingual MTEB v2

Microsoft AI Releases Harrier-OSS-v1: A New Family of Multilingual Embedding Models Beats SOTA in Multilingual MTEB v2

20 hours ago
MIT researchers use AI to detect atomic defects in materials | MIT News

MIT researchers use AI to detect atomic defects in materials | MIT News

1 day ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button