[Alert] Axios Hijacked: RAT Pushed to 100M Weekly Downloads via npm

Malware Planted in "axios" — 100 Million Weekly Downloads

The popular JavaScript HTTP client axios was hijacked in a supply chain attack. Versions 1.14.1 and 0.30.4, published in the early hours of March 31, 2026 (UTC), were found to contain a cross-platform remote access trojan (RAT) targeting Windows, macOS, and Linux.

axios is an npm package with over 100 million weekly downloads, widely used across frontend and backend applications. According to analysis by Wiz, axios is present in roughly 80% of cloud environments. The tainted versions were available on npm for approximately 3 hours. Any development machine that ran npm install during that window was a potential infection target.

Google Threat Intelligence Group (GTIG) / Mandiant attributed this attack to UNC1069 (aka CryptoCore), a cyber-attack group linked to North Korea.

axios and Supply Chain Attacks

axios is an HTTP client library that works in both browsers and Node.js. It is one of the first choices for most JavaScript developers when writing API communication code, and is commonly used alongside major frameworks such as React, Vue, and Express.

A supply chain attack is a technique where an attacker intervenes in the software development and distribution process to inject malware into legitimate packages. Developers become infected simply by running npm install on a library they trust. In this case, a legitimate axios maintainer's account was compromised, and the tainted versions were distributed through the official npm registry.

How It Happened — From Maintainer Account Takeover to RAT Distribution

The attack began with the compromise of the npm account belonging to jasonsaayman, a primary maintainer of axios. According to detailed analysis by Elastic Security Labs, the attacker used a long-lived classic npm access token to take over the account.

What made this particularly insidious was that although the axios v1.x branch had secure publishing via OIDC (OpenID Connect) enabled, the CI workflow was also passing an NPM_TOKEN as an environment variable alongside OIDC. When both are present, npm prioritizes the token, effectively nullifying OIDC protection.

The attacker only modified package.json, adding a dependency package called plain-crypto-js. Not a single byte of the axios library itself (85 files) was changed. plain-crypto-js was the actual payload.

The postinstall script (setup.js) in plain-crypto-js runs automatically right after npm install, connecting to a C2 server (sfrclak[.]com:8000). Huntress's investigation confirmed that infection was established within 89 seconds of the install starting. An OS-specific RAT (remote access trojan) was then downloaded from the C2, giving the attacker remote control of the machine.

The RAT sends beacons to the C2 every 60 seconds, reporting the hostname, username, OS information, and running processes. With a single command, the attacker can traverse the file system, perform in-memory PE injection (program execution), and steal credentials. AWS and GCP cloud tokens as well as SSH keys are also exfiltration targets.

The attack also included sophisticated evidence destruction. After execution, setup.js deletes itself and replaces the tainted package.json with a pre-prepared clean version containing legitimate version numbers. Running npm list or npm audit afterward shows no anomalies.

March 27 to 31: What Happened

← Swipe to navigate

Reactions — npm's Response, Maintainer Statement, and Security Firm Analysis

npm removed the tainted versions within approximately 3 hours and replaced plain-crypto-js with a security stub. However, any environment that ran an install during those 3 hours may already have the RAT running.

The compromised maintainer, jasonsaayman, posted a statement on GitHub issue #10604 saying "I had 2FA/MFA enabled on almost everything. I'm trying to understand how this could have happened."

Elastic Security Labs detected the anomaly via automated monitoring the day before the attack (March 30) and filed a GitHub Security Advisory. StepSecurity detected it through Harden-Runner CI/CD monitoring, and Socket claims it detected the tainted version within approximately 6 minutes of publication.

Google/Mandiant CTO Charles Carmakal warned that "credentials stolen over the past two weeks will fuel further supply chain attacks, SaaS environment breaches, ransomware, and cryptocurrency theft in the coming days, weeks, and months."

Developer Community Reactions

Technical Perspective — Is Your Project Affected?

The first thing to check is whether you ran npm install during the approximately 3-hour window from 0:21 to 3:29 UTC on March 31. Review your CI/CD execution logs, deployment history, and local shell history. If you did not run an install at any point during this window, you are most likely unaffected.

For specific verification, search your package-lock.json for axios 1.14.1 or 0.30.4. If the node_modules/plain-crypto-js/ directory exists, the dropper may have executed. As mentioned above, setup.js deletes itself after execution and replaces package.json with a clean version, so npm audit will not detect it. The mere existence of the directory is evidence that something was executed.

RAT installation artifacts can be checked per OS. On macOS, look for /Library/Caches/com.apple.act.mond; on Windows, %PROGRAMDATA%\wt.exe; on Linux, /tmp/ld.py. If any of these files are found, you should consider the machine fully compromised.

If a compromise is confirmed, do not attempt to remediate in place. Since the attacker may have already stolen credentials, the recommended approach is to rebuild the machine from a known-good state and rotate all npm tokens, AWS keys, SSH keys, CI/CD secrets, and any values stored in .env files.

Note that end users of browser-based web applications built with axios are not directly affected. The infection vector is the postinstall script during install/build time, not at application runtime. The risk is limited to development machines and CI/CD environments that ran npm install during this window.

First Compromise of a Top-10 npm Package

Mandiant analyzed this attack as an extension of the TeamPCP campaign, which compromised four OSS projects in succession between March 19 and 27. The same attack group escalated to bigger targets. As we reported in our article on the chain of attacks that started with Trivy, attacks targeting security tools themselves have been ongoing, but this time the reach extended even further to a foundational library of the development ecosystem.

GTIG chief analyst John Hultquist stated, "North Korean hackers have deep experience with supply chain attacks and have historically used them for cryptocurrency theft. The full scope of this incident is not yet clear, but given the popularity of the compromised package, the impact is likely to be widespread."

This was the first time a package of axios's caliber was hijacked on the npm registry. Although the window was a short 3 hours, Wiz's investigation confirmed RAT execution in 3% of affected environments. Since stolen credentials can serve as a foothold for subsequent attacks, the impact does not end with those 3 hours alone.

References

• ― Elastic Security Labs — "One RAT to Rule Them All"
• ― Google Cloud / Mandiant — UNC1069 Attribution
• ― Snyk — Supply Chain Attack Delivers Cross-Platform RAT
• ― StepSecurity — Axios Compromised on npm
• ― Socket — Supply Chain Attack on Axios
• ― Huntress — Supply Chain Compromise: Axios npm Package
• ― Wiz — Axios npm Compromised in Supply Chain Attack
• ― The Hacker News — Axios Supply Chain Attack
• ― TechCrunch — Hacker Hijacks Axios Open Source Project
• ― GitHub — axios/axios Issue #10604 (Maintainer Statement)