Axios npm Package Backdoored in Supply Chain Attack

One of the most popular JavaScript packages out there, Axios (over 100 million weekly downloads), got compromised. Someone hijacked a maintainer's npm account, swapped the email to a ProtonMail address, and pushed out two malicious versions: 1.14.1 and 0.30.4. They were live for about three hours before being pulled.

But they didn't mess with Axios directly. Interestingly, they added a hidden dependency called [email protected] to the package.json. When you installed Axios, that package ran a script that phoned home to a server (sfrclak.com:8000) and dropped a remote access trojan tailored to your operating system. Windows, Mac, Linux, all covered. Then the malware tried to wipe its tracks, so poking around node_modules afterward might show nothing at all.

Check If You Got Hit

If you installed Axios between roughly ~00:21 UTC and ~03:29 UTC on March 31, or if you spot these versions in your lockfile, assume your system is compromised.

• Check your lockfile: Run Run npm ls axios | grep -E '1.14.1|0.30.4'. If either version shows up, you pulled the bad one.
• Look for plain-crypto-js: Run npm ls plain-crypto-js or search your node_modules folder. If it's there, the dropper ran.
• Look for RAT leftovers:
• On macOS: /Library/Caches/com.apple.act.mond
• On Windows: %PROGRAMDATA%\wt.exe (it's a renamed PowerShell binary)
• On Linux: /tmp/ld.py

What to Do Now

Word on the street from security folks is: if you installed those versions, treat your machine as fully compromised. Don't try to clean it in place. Here's the playbook.

• Pull the system off the network immediately.
• Rotate every credential that was on that machine. npm tokens, AWS keys, SSH keys, cloud creds, CI/CD secrets, anything in .env files. Attackers usually move fast, within hours.
• Downgrade Axios to a clean version: 1.14.0 or 0.30.3. Pin it in your package.json so it doesn't grab the bad one again.
• Kill plain-crypto-js from your node_modules. If you're on a shared or CI box, comb through pipeline logs for any runs that touched the affected versions and rotate those secrets too.
• Rebuild from a clean state. Wipe it. Start fresh.

The bad versions are gone from npm now, but if you installed during that window, the RAT had time to run and dial home. The window is tight, but checking now is better than not checking at all.