The March 2026 Axios NPM Supply Chain Attack: Detection with ArmorCode
On March 30-31, 2026, the Axios NPM package was compromised in one of the most significant NPM supply chain attacks to date. With over 100 million weekly downloads, Axios is a foundational HTTP client used across the JavaScript ecosystem. An attacker hijacked the NPM account of the lead maintainer and published two malicious versions that deployed a cross-platform Remote Access Trojan (RAT) on any machine that ran npm install. This follows the September 2025 NPM supply chain attack that compromised 200+ packages, and shares the same underlying pattern: compromised maintainer credentials used to publish poisoned versions.
This post covers what happened, what makes this attack technically distinct, and how our ArmorCode customers can detect any exposure across their application portfolio.
The Attack: Account Hijack to RAT Deployment
The attacker compromised the NPM credentials of Axios maintainer jasonsaayman and changed the account email to ifstap@proton.me. Rather than modifying the Axios code directly, the attacker published two new versions that added a single phantom dependency:
axios@1.14.1(1.x release line)axios@0.30.4(0.x legacy line)
Both versions inject plain-crypto-js@^4.2.1 into the dependency tree. This package was created by the attacker (staging account: nrwise@proton.me) and has no legitimate purpose. It is never imported or referenced anywhere in the Axios codebase. Its only function is to execute a postinstall script that drops a platform-specific RAT.
Advisory: GHSA-fw8c-xr5c-95f9
Timeline (UTC)
| Timestamp | Event |
| Mar 30, 05:57 | plain-crypto-js@4.2.0 published (clean decoy staging) |
| Mar 30, 23:59 | plain-crypto-js@4.2.1 published with postinstall RAT dropper |
| Mar 31, 00:05 | Automated malware detection flags plain-crypto-js (~6 minutes) |
| Mar 31, 00:21 | axios@1.14.1 published with malicious dependency |
| Mar 31, 01:00 | axios@0.30.4 published (39 min later, targeting legacy users) |
| Mar 31, ~03:15 | NPM removes both compromised Axios versions |
The attack window was approximately 3-4 hours. Any project that ran npm install with caret ranges (e.g., ^1.14.0) during this window could have resolved to the compromised version.
How the Malware Works
The plain-crypto-js@4.2.1 package contains a setup.js dropper (4,209 bytes) that executes via NPM’s postinstall lifecycle hook. The dropper uses two-layer obfuscation: reversed Base64 combined with an XOR cipher (key derived from OrDeR_7077, constant 333). Sensitive Node.js modules (fs, os, child_process) are loaded dynamically at runtime to bypass static analysis.
Platform-specific payloads:
| Platform | Delivery | Artifact Path | Technique |
| macOS | AppleScript + Zsh | /Library/Caches/com.apple.act.mond | Spoofs Apple daemon name |
| Windows | VBScript + PowerShell | %PROGRAMDATA%\wt.exe | Copies PowerShell to evade EDR |
| Linux | curl + nohup | /tmp/ld.py | Detached Python process |
The macOS RAT beacons to sfrclak.com:8000 every 60 seconds with system fingerprinting data. It supports remote command execution, directory enumeration, binary deployment with ad-hoc code signing, and process termination.
Anti-forensics: After executing, the dropper deletes setup.js and the malicious package.json, then renames a pre-staged clean package.md to package.json. This means inspecting node_modules/plain-crypto-js/ after installation shows version 4.2.0 metadata, while the 4.2.1 dropper has already executed. The node_modules/plain-crypto-js/ directory itself still persists, which makes it a stronger forensic artifact than the package metadata inside it.
What Made This Axios NPM Attack Different
Unlike the September 2025 attack (browser-only crypto-stealing malware via phishing), the Axios compromise deployed a full-featured RAT with system-level access. Key differences:
| September 2025 Attack | March 2026 Axios Attack | |
| Vector | Maintainer phishing (200+ accounts) | Single account credential theft |
| Payload | Browser-only crypto address replacement | Cross-platform RAT with full system control |
| Scope | 27+ packages, billions of downloads | 1 package (Axios), 100M+ weekly downloads |
| Execution | Runtime (in browser) | Install-time (postinstall hook) |
| Persistence | None (in-memory only) | RAT with C2 beaconing every 60 seconds |
| Detection signal | Modified code in the package source | Phantom dependency never imported in code |
A critical detection signal: the legitimate axios@1.14.0 was published via GitHub Actions with OIDC Trusted Publishing. The malicious 1.14.1 was published manually using a stolen NPM token with no corresponding GitHub tag, release, or repository commit. This publishing-method mismatch is a strong indicator of compromise that automated systems can check.
Related Malicious Packages
Security researchers identified two additional packages distributing the same RAT payload through vendored dependencies:
@shadanai/openclaw(v2026.3.31-1, v2026.3.31-2)@qqbrowser/openclaw-qbot(v0.0.130)
These use the same setup.js dropper and C2 infrastructure, suggesting a broader campaign beyond just Axios.
Detecting the Axios Supply Chain Attack with ArmorCode
ArmorCode provides three ways to check your exposure to this attack. All three have been updated with out-of-the-box support for this specific attack, requiring no manual configuration.
1. Ask Anya
The fastest way to check your exposure is to ask Anya, ArmorCode’s virtual security champion built-in the ArmorCode Agentic AI Platform. A default prompt is already available:
“Am I vulnerable to the Axios supply chain attack?”
Anya will surface affected findings with direct links to drill down, highlight which applications in your portfolio contain the compromised components, and provide risk context with severity classification.
2. Findings Page: Saved View
A pre-built saved view called “Axios Supply Chain Attack” is available on the Findings page. Open it to instantly see all findings matching the compromised packages across your connected scanners.
The view uses this query:
(componentAffectedVersion IN ('1.14.1', '0.30.4') AND componentName IN ('axios'))
OR (componentAffectedVersion IN ('4.2.1') AND componentName IN ('plain-crypto-js'))
This surfaces findings from all your integrated tools, including SCA scanners, dependency analyzers, and any source that reports component-level vulnerability data.
3. SBOM Page: Saved Views
Two saved views are available under the “Axios Supply Chain Attack” folder on the SBOM (Assets) page:
- Axios Affected Versions: shows all assets containing
axios@1.14.1oraxios@0.30.4 - Plain-Crypto-JS Affected Version: shows all assets containing
plain-crypto-js@4.2.1
These SBOM views show which applications and repositories have the compromised components in their software bill of materials, even before any scanner has flagged a specific vulnerability finding. This is particularly useful for catching transitive dependencies where Axios is pulled in by another package.
Packages and Versions to Look For
| Package | Version | Risk |
| axios | 1.14.1 | Compromised: pulls in RAT via plain-crypto-js |
| axios | 0.30.4 | Compromised: pulls in RAT via plain-crypto-js |
| plain-crypto-js | 4.2.1 | Malware payload: RAT dropper with postinstall hook |
Finding plain-crypto-js in any application is a stronger indicator of active compromise than the Axios versions alone. This package was created entirely by the attacker and has no legitimate use in any project.
Indicators of Compromise
If your scanners or SBOM data show any of the above packages, check for these artifacts on machines where npm install was run:
| Indicator | Value |
| C2 Domain | sfrclak.com |
| C2 IP | 142.11.206.73 |
| C2 Port | 8000 |
| macOS artifact | /Library/Caches/com.apple.act.mond |
| Windows artifacts | %PROGRAMDATA%\wt.exe, %TEMP%\6202033.* |
| Linux artifact | /tmp/ld.py |
| NPM directory | node_modules/plain-crypto-js/ (persists after self-cleanup) |
If any RAT artifacts are found, assume full system compromise. Rotate all credentials accessible from that machine: NPM tokens, AWS keys, SSH keys, CI/CD secrets, database passwords, and API keys.
Protecting Your Organization Going Forward
For a detailed guide on long-term NPM supply chain defenses, including lockfile enforcement, SemVer range hardening, dependency cooldowns, and trusted publishing, see our companion post: Defending Against NPM Supply Chain Attacks: A Practical Guide.
ArmorCode helps security teams respond to NPM supply chain incidents in seconds. Anya, Findings saved views, and SBOM saved views are available now with no additional setup required.
See how Anya, ArmorCode’s agentic AI framework for enterprises can keep applications safe from supply chain attacks in this demo video.
References
