Axios NPM Supply Chain Compromise: Malicious Packages Deliver Remote Access Trojan

What Happened

On March 31, 2026, attackers compromised the official Axios package on the Node Package Manager (npm) registry. Axios is one of the most widely used open-source libraries for making web requests, with over 100 million downloads per week. It is embedded in web applications, mobile apps, backend services, and automated build pipelines across virtually every industry.

The attacker gained access to the Axios package maintainer’s publishing credentials and used them to release two poisoned versions of Axios (1.14.1 and 0.30.4) that included a hidden malicious dependency. When developers or automated systems install either version, the malicious code executes immediately, stealing sensitive credentials from the system (cloud access keys, database passwords, API tokens) and installing a Remote Access Trojan (RAT) that gives the attacker persistent access to the compromised machine.

“This is exactly the type of attack supply chain attack that we discussed at RSAC last week. One compromised maintainer account, and a package that touches millions of systems becomes a weapon.”

The malicious versions were live on NPM for approximately two to three hours before detection and removal. The attack targeted both the current and legacy branches of Axios simultaneously, maximizing exposure across the ecosystem.

Who Is Affected

Any developer, build system, or production environment that installed Axios during the exposure window is potentially compromised. This includes:

• Developer workstations that ran npm install between 00:21 and 03:15 UTC on March 31, 2026, while the poisoned versions were available on npm
• Continuous Integration/Continuous Deployment (CI/CD) pipelines that automatically pull the latest compatible package versions
• Production systems rebuilt or redeployed during the window

The malicious code targeted Windows, macOS, and Linux systems with platform-specific payloads, covering the full range of environments where Axios is used.

What Organizations Should Do

For developers:

1. Check project lockfiles (package-lock.json or yarn.lock) for Axios versions 1.14.1 or 0.30.4, or any reference to plain-crypto-js. If present, the malicious package was installed.
2. Downgrade immediately to Axios 1.14.0 (or 0.30.3 for legacy users) and delete the node_modules/plain-crypto-js directory.
3. Assume all environment variables on affected systems were exfiltrated. Rotate NPM tokens, cloud access keys (AWS, Azure, GCP), SSH keys, database credentials, and API tokens.

For blue team defenders:

1. Block the command-and-control infrastructure: domain sfrclak.com and IP address 142.11.206.73 (port 8000).
2. Search for RAT artifacts on potentially affected systems:
1. macOS: /Library/Caches/com.apple.act.mond
2. Windows: %PROGRAMDATA%\wt.exe, %TEMP%\6202033.vbs, %TEMP%\6202033.ps1
3. Linux: /tmp/ld.py
3. Review shell profile files (.bashrc, .zshrc) on macOS and Linux systems for unauthorized modifications, as the malware attempts to establish persistence through profile injection.
4. Monitor network logs for outbound connections to port 8000 on the indicators listed above, and for POST requests to packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), or packages.npm.org/product2 (Linux). ¹ These callback URLs are designed to look like legitimate npm traffic.

For incident response teams:

1. Forensic evidence is limited by design. The malware deletes itself after execution and replaces its own package metadata with a clean stub. The primary indicator of compromise is the presence of the node_modules/plain-crypto-js directory.
2. Treat any system where the malicious package executed as fully compromised. Credential theft occurs within seconds of installation, and the RAT payload provides the attacker with ongoing remote access.
3. Scope the investigation to include CI/CD runners and build infrastructure, not just developer workstations. Automated pipelines that installed the affected versions may have exposed production secrets.

Affected package hashes for detection and forensic correlation²

• axios@1.14.1: 2553649f232204966871cea80a5d0d6adc700ca
• axios@0.30.4: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
• plain-crypto-js@4.2.1: 07d889e2dadce6f3910dcbc253317d28ca61c766

Threat Actor

Early analysis indicates that this attack may be a continuation of the TeamPCP supply chain campaign. Between March 19 and March 27, 2026, TeamPCP compromised four widely used open-source projects in rapid succession: the Trivy vulnerability scanner (March 19), the KICS infrastructure-as-code scanner (March 23), the LiteLLM AI proxy library on PyPI (March 24), and the Telnyx communications library on PyPI (March 27). ³ In each case, the malware harvested cloud credentials, SSH keys, Kubernetes configuration files, and CI/CD secrets. Wiz researchers observed TeamPCP validating stolen credentials within hours using TruffleHog, then conducting reconnaissance across AWS services including IAM, EC2, Lambda, S3, and Secrets Manager.

SANS analysts believe that TeamPCP likely has access to a stockpile of compromised publishing credentials and may be operating as an Initial Access Broker (IAB), selling access to other threat actors. If accurate, this pattern of supply chain compromises targeting high-download packages will continue over the coming weeks and months. Organizations should treat any credential exposed through these incidents as actively exploited.

Why This Matters

This incident is a textbook example of the supply chain risks discussed at RSAC last week. A single compromised maintainer account turned one of the most trusted packages in the npm ecosystem into an attack vector. The attacker pre-staged the malicious dependency 18 hours before publishing the poisoned Axios versions, demonstrating operational planning designed to evade detection.

“The attack surface is your vendor’s vendor’s vendor. This is what that looks like in practice.”

Organizations that had lockfiles pinning Axios to a specific version, or CI/CD policies that suppress automatic install scripts, were protected. Organizations that did not had a window of exposure measured in hours, with consequences that may take weeks to fully assess.

References

1. @cyberraiju, Axios Supply Chain Compromise IOCs, March 31, 2026.
2. StepSecurity, “Axios Compromised on npm: Malicious Versions Drop Remote Access Trojan,” March 31, 2026.
3. Wiz, “Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild,” March 2026.