a

News

Axios NPM Supply Chain Attack

Overview

  • Product: Axios npm package

  • Affected releases: axios@1.14.1, axios@0.30.4

  • Malicious dependency: plain-crypto-js@4.2.1

  • Severity: Critical

  • Date: 2 April 2026

  • Publication window: 31 March 2026, 00:21 UTC to 03:29 UTC

  • Impact: Cross-platform remote access trojan deployment across Windows, macOS and Linux when the compromised packages were installed

Summary

The official Axios package on npm was briefly compromised through a maintainer account takeover. The malicious releases added a dependency that executed a hidden post-install script and fetched platform-specific malware, creating a high-impact software supply chain incident with broad exposure across developer workstations, CI pipelines, and build systems.

Affected Versions

  • Compromised Axios releases: 1.14.1, 0.30.4

  • Malicious dependency: plain-crypto-js@4.2.1

  • Known safe guidance: pin to a known safe Axios release such as 1.14.0 or earlier, or 0.30.3 or earlier

  • Note: No CVE identifiers had been published at the time of writing

Vulnerability Breakdown

axios@1.14.1 - Compromised official package release

  • Severity: Critical

  • CVSS: Not published

  • Description: This release of the legitimate Axios package was published with a malicious dependency that executed automatically during installation. The attack bypassed normal trust assumptions by abusing the official package rather than a typosquatted clone.

  • Impact: Installation could lead to remote code execution and full host compromise through deployment of a cross-platform backdoor.

  • Conditions: Risk applies to systems that pulled or installed this version during the malicious publication window.

  • Notes: Exposure is highest in CI/CD pipelines, build agents, and developer environments that install dependencies dynamically.

axios@0.30.4 - Compromised legacy branch release

  • Severity: Critical

  • CVSS: Not published

  • Description: A second malicious Axios release was published on the older branch, also referencing the same staged dependency. This widened the blast radius to environments pinned to the legacy stream.

  • Impact: Affected hosts may have executed attacker-controlled code and downloaded follow-on malware.

  • Conditions: Risk applies where package managers resolved this version during the live attack window.

  • Notes: Organisations should review lockfiles, caches, and build logs for both affected version numbers.

plain-crypto-js@4.2.1 - Malicious dependency and dropper

  • Severity: Critical

  • CVSS: Not published

  • Description: The injected dependency used an obfuscated postinstall script to identify the host operating system and download a platform-specific payload. Reported follow-on activity included a backdoor tracked as WAVESHAPER.V2.

  • Impact: The malware can beacon to command and control infrastructure, execute arbitrary payloads, enumerate files, and support ongoing attacker access.

  • Conditions: Triggered when package installation executed lifecycle scripts.

  • Notes: Reported indicators include /Library/Caches/com.apple.act.mond on macOS, %PROGRAMDATA%\\wt.exe on Windows, /tmp/ld.py on Linux, and outbound traffic to sfrclak[.]com or 142.11.206.73:8000.

Mitigation

  • Identify any environments that installed axios@1.14.1 or axios@0.30.4 during the malicious publication window.

  • Search lockfiles and dependency trees for axios@1.14.1, axios@0.30.4, and plain-crypto-js@4.2.1.

  • Isolate any affected workstation, CI runner, build host, or container immediately.

  • Revoke and reissue credentials, tokens, API keys, SSH keys, and cloud secrets exposed to affected systems.

  • Rebuild compromised environments from a known clean image rather than attempting in-place cleanup.

  • Pin Axios to a known safe version and enforce lockfile integrity using npm ci or equivalent.

  • Block and monitor for sfrclak[.]com and 142.11.206.73:8000.

  • Clear npm, yarn, pnpm, and build cache artefacts to reduce reinfection risk.

  • Consider disabling install scripts in CI where feasible, for example with npm ci --ignore-scripts, after validating package requirements.

Summary for IT Teams

  • Products: Axios npm package, Node.js development and CI environments

  • Threat Level: Critical

  • Action Required: Audit for affected versions, isolate any impacted systems, rotate credentials, rebuild compromised environments, block known infrastructure, and pin to safe Axios versions immediately.

Reference

Need Help?

If your organisation needs assistance assessing exposure, containing affected systems, or hardening software supply chain controls, contact Secure ISS on 1300 769 460. Our SOC team can support incident triage, containment, and remediation.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US