Axios npm Package Compromised
Axios npm Package Backdoored in Supply Chain Attack
Axios versions 1.14.1 and 0.30.4 were backdoored in a supply chain attack that delivered cross-platform malware.
One of the most popular JavaScript packages out there, Axios (over 100 million weekly downloads), got compromised. Someone hijacked a maintainer's npm account, swapped the email to a ProtonMail address, and pushed out two malicious versions: 1.14.1 and 0.30.4. They were live for about three hours before being pulled.
But they didn't mess with Axios directly. Interestingly, they added a hidden dependency called plain-crypto-js@4.2.1 to the package.json. When you installed Axios, that package ran a script that phoned home to a server (sfrclak.com:8000) and dropped a remote access trojan tailored to your operating system. Windows, Mac, Linux, all covered. Then the malware tried to wipe its tracks, so poking around node_modules afterward might show nothing at all.
Check If You Got Hit
If you installed Axios between roughly ~00:21 UTC and ~03:29 UTC on March 31, or if you spot these versions in your lockfile, assume your system is compromised.
- Check your lockfile: Run Run npm ls axios | grep -E '1.14.1|0.30.4'. If either version shows up, you pulled the bad one.
- Look for plain-crypto-js: Run npm ls plain-crypto-js or search your node_modules folder. If it's there, the dropper ran.
- Look for RAT leftovers:
- On macOS: /Library/Caches/com.apple.act.mond
- On Windows: %PROGRAMDATA%\wt.exe (it's a renamed PowerShell binary)
- On Linux: /tmp/ld.py
What to Do Now
Word on the street from security folks is: if you installed those versions, treat your machine as fully compromised. Don't try to clean it in place. Here's the playbook.
- Pull the system off the network immediately.
- Rotate every credential that was on that machine. npm tokens, AWS keys, SSH keys, cloud creds, CI/CD secrets, anything in .env files. Attackers usually move fast, within hours.
- Downgrade Axios to a clean version: 1.14.0 or 0.30.3. Pin it in your package.json so it doesn't grab the bad one again.
- Kill plain-crypto-js from your node_modules. If you're on a shared or CI box, comb through pipeline logs for any runs that touched the affected versions and rotate those secrets too.
- Rebuild from a clean state. Wipe it. Start fresh.
The bad versions are gone from npm now, but if you installed during that window, the RAT had time to run and dial home. The window is tight, but checking now is better than not checking at all.
Tags
Join the Discussion
Enjoyed this? Ask questions, share your take (hot, lukewarm, or undecided), or follow the thread with people in real time. The community’s open, join us.
Latest in Data Defense
Mini Shai Hulud Wormed Its Way Into GitHub
May 20, 2026
Shai-Hulud And npm In The Same Sentence?
May 20, 2026
Axios npm Package Backdoored in Supply Chain Attack
Mar 31, 2026
DarkSword: iPhone Exploit Code Is Now Public
Mar 24, 2026
Scam Messages Are Flooding WhatsApp and SMS Again. Learn How To Stay Safe
Mar 14, 2026
