Back to threat alerts

Axios Supply Chain Attack

A highly critical supply chain attack was identified targeting the axios npm package, a widely utilised HTTP client library. The attack involved the hijack of a lead maintainer’s npm account, which was subsequently used to publish malicious versions of the library. These poisoned releases bypassed established GitHub Actions, CI/CD pipelines, and injected a hidden dependency designed to drop a cross-platform Remote Access Trojan (RAT).

Threat alert
March 31, 2026
Description:  

The threat actor successfully compromised the primary npm account of an axios maintainer (jasonsaayman). The attacker altered the account’s registered email address to an attacker-controlled ProtonMail account ([email protected]) and manually published the compromised versions using a classic npm access token. This manual deployment bypassed the OpenID Connect (OIDC) Trusted Publisher mechanism typically used by the project's automated CI/CD pipelines, meaning the malicious releases lacked SLSA provenance and had no corresponding commits or tags in the axios GitHub repository.

The compromised axios versions contained a single modification to their package.json files: the addition of a malicious dependency named [email protected]. This pre-staged package masqueraded as the legitimate crypto-js library. Upon installation, a post-install hook (node setup.js) executed automatically without requiring user interaction.

This heavily obfuscated script operated as a RAT dropper targeting macOS, Windows, and Linux environments. It contacted a Command and Control (C2) server to download and execute platform-specific second-stage payloads:

  • macOS: Deploys an AppleScript that installs a disguised system daemon at /Library/Caches/com.apple.act.mond.
  • Windows: Copies the legitimate PowerShell binary to %PROGRAMDATA%\wt.exe (disguising it as Windows Terminal) and executes VBScript payloads.
  • Linux: Executes corresponding shell scripts to establish persistence.

The malware initiates a 60-second polling loop to exfiltrate system metadata (hostnames, OS details, and full process lists). Crucially, the dropper features self-cleanup mechanisms; it deletes the initial setup.js script and replaces its own package.json with a benign stub to evade post-infection forensic analysis.  

Vulnerable Versions:

The following axios versions were maliciously published to the npm registry:

Projects configuring their dependencies with carets (e.g., ^1.14.0 or ^0.30.0) were highly susceptible to automatic upgrades to these compromised versions upon running standard install commands.

Mitigations:

Following the incident's discovery, the npm security team intervened and removed both malicious axios versions alongside the plain-crypto-js dropper package from the registry. New installations are currently safe. However, due to the malware's self-destructing nature, traditional dependency scanning of the node_modules folder may not reveal an infection if the package has already run.

The following Indicators of Compromise (IoCs) and artefacts have been publicly disclosed:

  • Directories: Check for the presence of the node_modules/plain-crypto-js directory. Its mere existence confirms the dropper was executed.
  • macOS Artefacts: Verify the existence of the anomalous daemon at /Library/Caches/com.apple.act.mond.
  • Windows Artefacts: Check for the unauthorised PowerShell copy at %PROGRAMDATA%\wt.exe.

Recommendations:
  • Assume Compromise: If any vulnerable version was installed or executed within a local development environment or a CI/CD pipeline, the host system must be treated as fully compromised.
  • Credential Rotation: Immediately rotate all secrets, API keys, and credentials stored on or accessible to the affected machines, as the exfiltrated process lists and system access likely exposed sensitive tokens.
  • Strict Version Pinning: Transition away from automatic minor and patch updates (using ^ or ~) in favour of strict version pinning for critical dependencies to prevent the automated ingestion of poisoned packages.
  • Enhance Pipeline Security: Ensure CI/CD pipelines strictly validate SLSA provenance and OIDC signatures to detect anomalous, manually published packages that bypass source control.
  • Network and Endpoint Monitoring: Monitor environments for suspicious outbound network beacons or unexpected background processes, particularly executions stemming from hidden directories or disguised system binaries.