JavaScript developers using the widely popular Axios HTTP client library are facing a critical security threat. On March 30, 2026, two malicious versions of Axios—1.14.1 and 0.30.4—were published to the NPM registry after a primary maintainer's account was compromised.
The Attack Mechanism
The poisoned releases do not directly modify the Axios source code. Instead, they introduce a hidden dependency: plain-crypto-js@4.2.1.
This malicious package executes a postinstall script immediately upon installation. This script acts as a dropper for a cross-platform Remote Access Trojan (RAT), targeting Windows, macOS, and Linux systems. Once active, the Trojan establishes communication with a command-and-control (C2) server (sfrclak.com:8000), allowing attackers to execute arbitrary code and exfiltrate sensitive data.
Advanced Evasion Techniques
This supply chain attack is notable for its operational sophistication:
- Anti-Forensics: The RAT dropper is designed to self-destruct. After successful execution, the malware deletes itself and replaces the project's
package.jsonwith a clean version to evade post-infection analysis. - Pre-Staging: The malicious
plain-crypto-jspackage was published 18 hours in advance to bypass "new-package" security alarms. - Maintainer Account Hijack: The attack was made possible by hijacking the
jasonsaaymanNPM account, allowing the malicious builds to appear as legitimate releases.
Recommended Remediation Steps
If you have installed or updated to Axios versions 1.14.1 or 0.30.4, your system must be considered compromised. We recommend the following immediate actions:
- Verify Your Versions: Check your
package.jsonandpackage-lock.jsonfiles for the affected versions. - Downgrade Immediately: Revert to a known stable and clean version of Axios (e.g.,
1.14.0or0.30.3). - Clean Installation: Run
npm cache clean --forceand perform a fresh install after ensuring the malicious dependency is removed. - Security Audit: Since the malware may have already executed, perform a full system scan for indicators of compromise (IoC) and rotate any sensitive credentials (API keys, passwords) that may have been stored on the affected machines.
Conclusion
Supply chain attacks continue to pose a major risk to the JavaScript ecosystem. We strongly encourage maintainers to adopt NPM's OIDC Trusted Publisher mechanism to prevent credential-based account takeovers.
Stay vigilant and ensure your development environment remains secure. For more cybersecurity updates, stay tuned to TechChip.