Axios NPM Supply Chain Attack: What Happened and How to Respond

Axios npm Package Compromised: Malicious Versions Distributed in Major Supply Chain Attack

🔍 What Happened

The axios npm supply chain attack occurred on March 31, 2026, when a threat actor compromised the npm account of an Axios package maintainer. Two malicious versions of the widely-used Axios npm package (v1.14.1 and v0.30.4) were published. These versions included a dependency on a malicious package, plain-crypto-js, that contained trojanised code.

Although the malicious releases were removed within hours, Axios is present in around 80% of cloud and code environments and downloaded roughly 100 million times per week. This high usage meant that the impact spread rapidly, with some environments executing the malicious code before its removal.

⚠️ Why It Matters

The axios npm supply chain attack highlights the significant risks of supply chain vulnerabilities in modern software development. The malicious package installed a lightweight remote access trojan (RAT) that allowed attackers to:

  • Remotely execute commands
  • Steal credentials and system information
  • Persist on compromised systems by modifying registry keys or using platform-specific tactics
  • Establish communications with a command and control server for further exploitation

This incident underscores the importance of monitoring dependencies and responding quickly to any indication of compromise. Organisations using Node.js and npm packages are especially at risk, as attackers increasingly target popular open-source libraries in supply chain attacks.

✅ What To Do

To protect your organisation from threats like the axios npm supply chain attack, consider the following steps:

  • Audit your environments: Check if versions 1.14.1 or 0.30.4 of Axios were downloaded or executed. Remove any malicious code or artifacts found.
  • Rotate credentials: If any malicious package was executed, assume credentials may be compromised. Rotate secrets, API keys, and tokens promptly.
  • Investigate further compromise: Review build pipelines and developer systems for signs of unauthorised access, persistence, or suspicious activity.
  • Monitor network activity: Watch for outbound connections to suspicious domains (such as sfrclak.com:8000) and look for unexpected HTTP POST requests or process activity related to package installation.
  • Stay informed: Follow advisories on GitHub and trusted security blogs for updates on npm package security and supply chain threats.

Taking a proactive and layered approach to supply chain security can help reduce risk and limit the impact of similar attacks in the future.

Originally reported by Wiz.

Share this bulletin

About the Author

Elsie Day Headshot

Elsie Day

Senior Security Consultant

Elsie Day

A graduate in Criminology, Elsie also has an MSc in Crime Science with Cyber Crime from UCL. She brings a solid foundation in cyber security principles and practices.

With a research background in human factors in cyber security, Elsie brings a proactive approach to analysing security landscapes. Highly analytical and committed to supporting clients, she excels at crafting solutions to enhance organisational resilience.

Elsie is proficient in identifying and addressing cyber threats,  and committed to staying ahead in the ever-evolving digital security landscape. Her analytical skills, honed through experience and academic studies, enable her to extract valuable insights to inform strategic decisions.

Enthusiastic and knowledgeable, Elsie strives to be a catalyst for change in security paradigms, and is dedicated to developing innovative approaches to combat emerging threats.

View Profile
Back to Bulletins
Author
Elsie Day Headshot
Elsie Day
Category
Vulnerabilities
Published
Apr 1 - 2026
Post Tags
  • axios npm supply chain attack
  • node.js vulnerabilities
  • npm security
  • supply chain risk
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call