Breaking: Axios npm supply chain attack — what happened, who's at risk, and what to do now

Written By Matthew Pace
Security Advisory Supply Chain Matthew Pace, CISO  ·  March 31, 2026

Today, attackers compromised the npm account of the primary axios maintainer and published two malicious versions of the library — present in roughly 80% of cloud and JavaScript environments. If your CI/CD pipeline ran npm install between 00:21 and 03:15 UTC today, you may be affected.

What happened

Axios is one of the most widely used JavaScript HTTP client libraries, downloaded approximately 100 million times per week. On March 31, 2026, a threat actor hijacked the npm account of its lead maintainer (jasonsaayman), changed its registered email to an attacker-controlled ProtonMail address, and used a stolen long-lived npm access token to publish two poisoned versions directly to the registry — bypassing GitHub Actions and the project's CI/CD pipeline entirely.

The malicious versions injected a fake dependency — plain-crypto-js@4.2.1 — that was never referenced in the actual code. This "phantom dependency" is an unambiguous indicator of tampering. Once installed, it executed a postinstall script that dropped a cross-platform Remote Access Trojan (RAT) onto the host machine, communicating with an attacker-controlled command-and-control server.

A critical tell that expert defenders caught immediately: legitimate axios releases always include OIDC provenance metadata and SLSA build attestations. The malicious versions had none — they were published directly, leaving no verifiable build trail.

Attack timeline

Mar 30 · 05:57 UTC
Attacker pre-stages plain-crypto-js@4.2.1 as a clean decoy to establish registry trust
Mar 30 · 23:59 UTC
Malicious plain-crypto-js@4.2.1 published — RAT dropper activated
Mar 31 · 00:21 UTC — CRITICAL
axios@1.14.1 published using compromised maintainer credentials
Mar 31 · 01:00 UTC — CRITICAL
axios@0.30.4 published — targeting legacy axios users
Mar 31 · ~03:15 UTC
Both malicious axios versions removed from npm registry
Mar 31 · 03:25 UTC
npm places security hold on plain-crypto-js

What the malware does

The RAT payload was purpose-built for cross-platform stealth. On macOS, it used AppleScript to download and execute a binary disguised as a system process. On Windows, it leveraged VBScript and PowerShell with persistence mechanisms disguised as system binaries. On Linux, it dropped a Python script and executed it in the background via nohup. All three variants communicated with the same C2 infrastructure, with traffic engineered to mimic legitimate npm registry activity.

Indicators of compromise (IOCs)

Type Value
Malicious packageaxios@1.14.1
Malicious packageaxios@0.30.4
Injected dependencyplain-crypto-js@4.2.1
C2 serversfrclak.com:8000
Attacker emailifstap@proton.me
Package publishernrwise (nrwise@proton.me)
CVE trackingGHSA-fw8c-xr5c-95f9 · MAL-2026-2306

Additional packages distributing the same payload

Socket identified two additional packages carrying the same malware via vendored dependencies:

@shadanai/openclaw — versions 2026.3.28-2, 2026.3.28-3, 2026.3.31-1, 2026.3.31-2

@qqbrowser/openclaw-qbot@0.0.130 — ships a tampered axios@1.14.1 in its node_modules/

How to check if you're affected

  1. Search your lockfiles (package-lock.json or yarn.lock) for axios@1.14.1, axios@0.30.4, or plain-crypto-js@4.2.1
  2. Review CI/CD build logs for any npm install runs between 00:21–03:15 UTC on March 31, 2026
  3. Search endpoint and network logs for outbound connections to sfrclak.com:8000 — confirmed C2 server
  4. Also audit for @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130 — secondary packages confirmed distributing the same payload
  5. If any of the above match: treat the affected system as fully compromised, rotate all credentials and API keys, and initiate a full forensic investigation for RAT persistence

Note for security teams: Even if your environment installed these versions, execution of the payload requires the postinstall hook to have run. Environments using --ignore-scripts during installation would not have triggered the dropper — though you should still audit for the presence of the affected packages.

How we do it at Emergence AI

Supply chain attacks like this follow a playbook we know well — and have responded to firsthand. Our defense posture is built around the assumption that trusted packages can be compromised, not as a theoretical edge case but as an operational reality.

Exact version pinning with CI enforcement. Every dependency across our services uses exact version specifiers — enforced by automated validation scripts running as both pre-commit hooks and required CI checks on every pull request. A malicious new release like axios@1.14.1 can't silently enter our dependency tree because loose version ranges simply don't merge.
Committed lockfiles with frozen installs. Our CI and Docker builds use frozen lockfile installs that fail if the lockfile doesn't match. The lockfile is the gate — nothing changes without a human explicitly updating it.
SBOM generation. We generate SPDX Software Bills of Materials for our service packages, giving us an auditable inventory of exactly what ships in each build.
OIDC workload identity, not long-lived tokens. This attack started with a stolen long-lived npm access token. We authenticate to cloud services and registries using short-lived OIDC tokens via Workload Identity Federation. There are no persistent credentials to steal and replay.
Postinstall scripts disabled in CI. Even if a malicious package lands in the tree, the hook never runs. This blocks the entire dropper class of attack at its root.
OIDC provenance and SLSA build attestations. Absence of provenance on a new release is a signal, not a silent pass-through — exactly the tell that flagged the malicious axios versions.
Package release age policies. New releases under 72 hours old don't enter our supply chain. The security community gets time to analyze before we adopt.
Outbound connection monitoring in build environments. Unexpected network activity — like a C2 callback mid-install — gets flagged in real time.

What every engineering team should do now

Beyond the immediate triage steps above, the following controls would have blocked or significantly reduced the blast radius of this attack for any organization:

  1. Pin all dependencies to exact versions and commit your lockfile to version control
  2. Replace npm install with npm ci in all CI/CD pipelines
  3. Add --ignore-scripts to npm installs in build environments where lifecycle hooks aren't required
  4. Require SLSA provenance and OIDC attestations on critical package versions — treat missing provenance as a red flag
  5. Implement a package release cooldown — reject packages published within the last 72 hours in automated pipelines
  6. Audit npm maintainer account security: disable long-lived classic access tokens, enforce MFA, and move to short-lived OIDC tokens tied to GitHub Actions

The lesson isn't to stop trusting open source. It's to stop assuming trust without verification. This attack didn't exploit a zero-day. It exploited a human account with too much access and too few controls around it. That's a solvable problem.

Matthew Pace is CISO at Emergence AI, an autonomous agent orchestration platform for enterprise. For security inquiries or to report a vulnerability, see our trust portal.

Matthew Pace
Next

Trust by Design: Our UX Principles for Building Trustable Data Agents