Axios NPM Supply Chain Attack: What Happened and How to Respond

Axios npm Package Compromised: Malicious Versions Distributed in Major Supply Chain Attack

🔍 What Happened

The axios npm supply chain attack occurred on March 31, 2026, when a threat actor compromised the npm account of an Axios package maintainer. Two malicious versions of the widely-used Axios npm package (v1.14.1 and v0.30.4) were published. These versions included a dependency on a malicious package, plain-crypto-js, that contained trojanised code.

Although the malicious releases were removed within hours, Axios is present in around 80% of cloud and code environments and downloaded roughly 100 million times per week. This high usage meant that the impact spread rapidly, with some environments executing the malicious code before its removal.

⚠️ Why It Matters

The axios npm supply chain attack highlights the significant risks of supply chain vulnerabilities in modern software development. The malicious package installed a lightweight remote access trojan (RAT) that allowed attackers to:

  • Remotely execute commands
  • Steal credentials and system information
  • Persist on compromised systems by modifying registry keys or using platform-specific tactics
  • Establish communications with a command and control server for further exploitation

This incident underscores the importance of monitoring dependencies and responding quickly to any indication of compromise. Organisations using Node.js and npm packages are especially at risk, as attackers increasingly target popular open-source libraries in supply chain attacks.

✅ What To Do

To protect your organisation from threats like the axios npm supply chain attack, consider the following steps:

  • Audit your environments: Check if versions 1.14.1 or 0.30.4 of Axios were downloaded or executed. Remove any malicious code or artifacts found.
  • Rotate credentials: If any malicious package was executed, assume credentials may be compromised. Rotate secrets, API keys, and tokens promptly.
  • Investigate further compromise: Review build pipelines and developer systems for signs of unauthorised access, persistence, or suspicious activity.
  • Monitor network activity: Watch for outbound connections to suspicious domains (such as sfrclak.com:8000) and look for unexpected HTTP POST requests or process activity related to package installation.
  • Stay informed: Follow advisories on GitHub and trusted security blogs for updates on npm package security and supply chain threats.

Taking a proactive and layered approach to supply chain security can help reduce risk and limit the impact of similar attacks in the future.

Originally reported by Wiz.

Share this bulletin
Back to Bulletins
Author
Elsie Day Headshot
Elsie Day
Category
Vulnerabilities
Published
Apr 1 - 2026
Post Tags
  • axios npm supply chain attack
  • node.js vulnerabilities
  • npm security
  • supply chain risk
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call