The Axios npm Supply Chain Attack: A Complete Breakdown
On March 31, 2026, one of the most consequential software supply chain attacks in npm history unfolded over roughly three hours. The target…
On March 31, 2026, one of the most consequential software supply chain attacks in npm history unfolded over roughly three hours. The target was Axios — a promise-based HTTP client library with over 100 million weekly downloads and a presence as a transitive dependency in millions of JavaScript projects worldwide.
Some numbers and facts first:
How it happened: the account takeover
An attacker gained access to the npm account of jasonsaayman, the primary maintainer of the open-source Axios library. The maintainer email was changed from the legitimate address to ifstap@proton[.]me, and the attacker bypassed the normal GitHub Actions OIDC-based CI/CD publishing workflow by publishing directly via the npm CLI using a long-lived access token.
This is a critical detail. Even on the v1.x branch where OIDC Trusted Publishing was configured, the publish workflow still passed NPM_TOKEN as an environment variable alongside OIDC credentials. When both are present, npm uses the token — meaning the long-lived token was effectively the authentication method for all publishes, regardless of OIDC configuration. The real maintainer later stated publicly in GitHub issue #10604: "I'm trying to get support to understand how this even happened. I have 2FA/MFA on practically everything."
The compromise is evident in the npm registry metadata: the publishing method shifted from a trusted OIDC publisher flow with SLSA provenance to a direct CLI publish with a changed email — a clear indicator of unauthorized access.
The payload: pre-staged and ready to go
The attacker didn’t modify a single line of Axios source code. Instead, they added a pre-staged malicious dependency, [email protected], to the package.json of the new Axios releases. This package had been published to npm under account "nrwise" (email: nrwise@proton[.]me) shortly before the attack, waiting for exactly this moment.
According to security researcher Ashish Kurmi of StepSecurity, the dependency’s sole purpose is to execute a postinstall script that acts as a cross-platform RAT dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform-specific second-stage payloads.
Both the latest and legacy dist-tags pointed to compromised versions, ensuring the majority of fresh installations pulled a backdoored release. Any project using version ranges like ^1.14.0 or ^0.30.0 in their package.json would silently pull in the malicious version on the next npm install.
The RAT: one implant, three platforms
What makes this campaign technically impressive is the sophistication of the second-stage tooling. All three stage-2 payloads are implementations of the same RAT with an identical C2 protocol, command set, beacon cadence, and spoofed user-agent — written in PowerShell (Windows), C++ (macOS), and Python (Linux).
The malware was designed to perform reconnaissance and establish persistence, with an added feature to self-destruct for evasion. On every compromised host, the RAT performed immediate system reconnaissance: enumerating user directories, filesystem drive roots, and running processes, then transmitted that data to the C2 server.
One of the most curious technical choices: the IE8/Windows XP user-agent string is hardcoded identically across all three platform variants. While it provides a consistent protocol fingerprint for C2 server-side routing, it is trivially detectable on any modern network — and is an immediate anomaly on macOS and Linux hosts. This single artifact makes network-level detection straightforward for defenders.
The attacker showed meaningful operational sophistication: pre-staging the malicious dependency, using a “clean” version history, double-obfuscating the dropper, building platform-specific RATs, and implementing anti-forensic self-deletion. This was not opportunistic.
The blast radius: wider than it looks
This compromise is particularly significant because Axios is widely used and is often included as a transitive dependency across millions of applications. Organizations that install npm packages in CI/CD pipelines may have automatically pulled the malicious versions into build environments during the roughly 3-hour window. Even systems that did not directly install Axios could be indirectly impacted if another package in the environment depended on the compromised versions.
Socket identified two additional packages distributing the same malware through vendored dependencies: @shadanai/openclaw and @qqbrowser/[email protected], the latter shipping a tampered [email protected] in its node_modules/ folder.
The Huntress SOC documented the real-world propagation in real time. One machine appeared to be hit via a yarn Datadog package, with the malicious dependency found even within a WordPress module nested at C:\Users\[REDACTED]\AppData\Roaming\npm\node_modules\@wordpress\scripts\node_modules\plain-crypto-js\ — confirming the supply chain propagated through any package that transitively depended on Axios.
Attribution: North Korean state actor
Two major threat intelligence organizations independently attributed this campaign to the same DPRK-nexus actor. Microsoft Threat Intelligence has attributed the Axios npm compromise to Sapphire Sleet, a North Korean state actor. Google Threat Intelligence Group independently attributed the attack to UNC1069, a suspected North Korean threat actor.
UNC1069 isn’t the only threat actor to launch successful open-source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.
What defenders must do right now
Immediate actions:
Roll back all deployments of Axios to safe versions (1.14.0 or 0.30.3 or earlier). Use overrides to force pinned versions for transitive dependencies. Flush the local cache with npm cache clean --force. Review CI/CD pipeline logs for any npm install executions that might have updated to [email protected] or [email protected] or presence of plain-crypto-js in install outputs.
Block all egress traffic to the attacker’s C2 domain sfrclak[.]com and IP address 142.11.206[.]73. Monitor network logs for suspicious outbound connections over port 8000, beaconing behavior, and anomalous HTTP POST requests.
Inspect systems for platform-specific indicators of compromise: /Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%\wt.exe on Windows, and /tmp/ld.py on Linux.
Credential rotation is non-negotiable. Users who installed the affected versions should rotate their secrets and credentials immediately.
Structural hardening for the long term:
In package.json, remove use of caret (^) or tilde (~) which allow auto-upgrade of any minor or patch update up to a major version. Instead, use an exact version and handle upgrades manually. Adopt Trusted Publishing with OIDC to eliminate stored credentials. Disable or restrict automated dependency bots for critical packages.
Enforce a short quarantine on new package versions by running npm config set min-release-age 3 to delay installation of newly published packages by 72 hours.
INDICATORS OF COMPROMISE — For Easy Copy/Pate
MALICIOUS npm PACKAGES → [email protected] → [email protected] → [email protected] → [email protected] → @shadanai/[email protected]–2 → @shadanai/[email protected]–3 → @shadanai/[email protected]–1 → @shadanai/[email protected]–2 → @qqbrowser/[email protected]
C2 INFRASTRUCTURE → Domain: sfrclak[.]com → IP Address: 142.11.206[.]73 → Port: 8000 → Protocol: HTTP POST with hardcoded IE8 user-agent
ATTACKER-CONTROLLED EMAILS → ifstap@proton[.]me — used to hijack jasonsaayman npm account → nrwise@proton[.]me — used to publish plain-crypto-js dropper
MALWARE ARTIFACTS ON DISK → macOS: /Library/Caches/com.apple.act.mond (C++ RAT) → Windows: %PROGRAMDATA%\wt.exe (PowerShell RAT) → Linux: /tmp/ld.py (Python RAT)
SHA-256 HASHES → ad8ba560ae5c4af4758bc68cc6dcf43bae0e0bbf9da680a8dc60a9ef78e22ff7 → fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
NETWORK DETECTION SIGNATURE → User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1) → Outbound HTTP POST to sfrclak[.]com:8000 → Alert on this UA string on any macOS or Linux host — it is anomalous by definition
SAFE VERSIONS (do not upgrade past these) → [email protected] and below → [email protected] and below
The bottom line
By compromising a single maintainer account on one of the JavaScript ecosystem’s most depended-upon packages, the attacker gained a delivery mechanism with potential reach into millions of environments. The window was only three hours — but for CI/CD pipelines running overnight installs without pinned versions, three hours was more than enough.
Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks, enabling further software supply chain attacks, SaaS environment compromises, ransomware and extortion events, and cryptocurrency theft over the near term.
The hard lessons here are structural: long-lived npm tokens are a liability, version ranges in production pipelines are an invitation, and the absence of --ignore-scripts in CI continues to be a silent killer. The Axios attack was sophisticated — but it was also stopped by the exact controls many teams still haven't shipped.
All IOCs, hashes, domains, and attribution in this article are sourced directly from validated public disclosures by Microsoft Threat Intelligence, Google Cloud GTIG, Elastic Security Labs, Huntress, Socket Security, Snyk, Palo Alto Unit 42, Arctic Wolf, and Tenable. The reference widget above consolidates all confirmed indicators for defender use.
Reach out if you have questions or comments or what to collaborate
Session Messenger: 059db238ab37c3d92615c5cc24b694da29c598cc13e27886053722404118e14271
