Listen to this Post

Introduction
On March 31, 2026, the widely used Axios HTTP client (83 million weekly downloads) was compromised when an attacker obtained a lead maintainer’s npm credentials, swapped the account email to a ProtonMail address, and manually published two malicious versions (1.14.1 and 0.30.4). Instead of modifying Axios directly, the attacker injected a fake dependency, [email protected], whose postinstall script deploys a cross-platform Remote Access Trojan (RAT) on macOS, Windows, and Linux – then self-destructs to evade forensic analysis.
Learning Objectives
- Identify compromised Axios versions and detect the `plain-crypto-js` dependency in your environment.
- Execute forensic commands to uncover RAT persistence and artifacts on Linux and Windows.
- Implement supply chain hardening measures including npm token rotation, CI/CD pipeline controls, and dependency pinning.
You Should Know
- Identifying Compromised Axios Versions and the Malicious Dependency
The attack published `[email protected]` and `[email protected]` directly to npm, bypassing the project’s GitHub Actions CI/CD. The malicious code lives not in Axios but in a fake dependency: [email protected]. This package runs a `postinstall` script that downloads and executes a pre‑built RAT.
Step‑by‑step detection:
- Check your `package-lock.json` or `yarn.lock` for the presence of
plain-crypto-js:Linux / macOS / Git Bash grep -i "plain-crypto-js" package-lock.json grep -i "plain-crypto-js" yarn.lock
Windows (PowerShell) Select-String -Path package-lock.json -Pattern "plain-crypto-js"
-
List all installed Axios versions (run inside your project root):
npm list axios or yarn list axios
-
If you see version 1.14.1 or 0.30.4, assume compromise. Also check for any dependency that includes
plain-crypto-js:npm ls plain-crypto-js
-
Inspect the `postinstall` script of any suspicious package (if still present):
Extract and examine cat node_modules/plain-crypto-js/package.json | grep postinstall cat node_modules/plain-crypto-js/install.js or the actual script file
2. RAT Payload Extraction and Self‑Destruct Analysis
The attacker pre‑staged three OS‑specific payloads 18 hours in advance. The `postinstall` script determines the OS, fetches the appropriate RAT, executes it, and then deletes itself.
Step‑by‑step forensic reconstruction:
- Simulate the download (safe, isolated environment) – do not run on production:
Use a sandbox or VM docker run --rm -it node:18 bash npm install [email protected]
-
Capture network traffic to see the payload URL (example, but actual domains vary):
sudo tcpdump -i eth0 -w rat_capture.pcap Then trigger the install in another terminal
-
On Linux, look for post‑execution artifacts – the RAT may have installed a systemd service or cron job:
Check for new services systemctl list-units --type=service --all | grep -i "rat|unknown" Check user crontab crontab -l Check systemd timers systemctl list-timers
-
On Windows, use PowerShell to scan for suspicious scheduled tasks and startup entries:
Get-ScheduledTask | Where-Object {$<em>.TaskName -like "rat" -or $</em>.TaskPath -like "unknown"} Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
3. Post‑Exploitation: Rotating Secrets and Credentials
If you ran either affected version, assume full system compromise. The RAT can exfiltrate environment variables, `.env` files, SSH keys, cloud tokens, and npm credentials.
Step‑by‑step emergency rotation (execute in this order):
1. Revoke and regenerate all npm tokens:
npm token list npm token revoke <token-id> npm token create
- Rotate cloud provider keys (AWS, GCP, Azure, etc.):
AWS example aws iam create-access-key --user-name <your-user> aws iam delete-access-key --access-key-id <old-key> --user-name <your-user>
3. Regenerate SSH keys (on Linux/macOS):
rm ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ssh-keygen -t rsa -b 4096 -C "[email protected]"
On Windows (PowerShell as Admin):
Remove-Item $env:USERPROFILE.ssh\id_rsa ssh-keygen -t rsa -b 4096 -C "[email protected]"
- Rotate all API keys, database passwords, and any secrets stored in environment variables. Use a secrets manager like HashiCorp Vault or at least a password manager to generate new random strings.
4. Pinning Safe Versions and Hardening npm Workflows
The safe versions are `[email protected]` (for 1.x users) and `[email protected]` (for 0.x users). Do not simply update to the latest – pin explicitly.
Step‑by‑step mitigation:
- Update your `package.json` to pin the safe version:
{ "dependencies": { "axios": "1.14.0" } }
Then run:
rm -rf node_modules package-lock.json npm cache clean --force npm install
- Prevent future automatic updates to malicious versions by using `npm shrinkwrap` or
overrides:// In package.json "overrides": { "axios": "1.14.0" } -
Enable `npm audit` and CI integration:
npm audit --production
Add to GitHub Actions:
- name: npm audit run: npm audit --production --audit-level=high
- Detecting the Axios RAT with YARA and Endpoint Scanners
The attacker pre‑built three payloads. While the postinstall script self‑destructs, the RAT binary may remain or have persistence mechanisms.
Step‑by‑step YARA rule for Linux RAT (example signature based on known indicators):
rule axios_rat_linux {
meta:
description = "Detects RAT deployed by plain-crypto-js postinstall"
date = "2026-04-03"
strings:
$s1 = "axios_rat_main" ascii
$s2 = "plain-crypto-js" ascii
$hex1 = { 6A 00 68 00 01 00 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? } // partial socket code
condition:
any of ($s) or $hex1
}
Run YARA on Linux:
yara -r axios_rat.yara /usr/bin /usr/local/bin /opt
On Windows, use Sysinternals Autoruns and Process Explorer:
List all running processes and check for unknown binaries
Get-Process | Where-Object {$<em>.Path -like "temp" -or $</em>.Path -like "roaming"}
Check for network connections to suspicious IPs
netstat -ano | findstr "ESTABLISHED"
6. CI/CD Pipeline Hardening Against Maintainer Account Takeover
The attack succeeded because the maintainer’s npm credentials were compromised and the pipeline’s normal CI/CD (GitHub Actions) was bypassed entirely. Manual publish should be impossible or require MFA.
Step‑by‑step hardening:
- Require two‑factor authentication (2FA) on npm for all maintainers. Enforce with `npm profile set –enable-two-factor-auth` and require it for publishing:
npm profile set two-factor-auth "auth-and-writes"
-
Use `publishConfig` in `package.json` to restrict publishing to CI only:
"publishConfig": { "access": "public", "registry": "https://registry.npmjs.org", "tag": "latest", "provenance": true } -
Configure GitHub Actions to prevent manual publish overrides – use environment protection rules and require a specific runner:
name: Publish to npm on: release: types: [bash] jobs: publish: runs-on: ubuntu-latest environment: npm-publish requires approval steps:</p></li> <li><p>run: npm publish --provenance
-
Monitor npm account activity – use webhooks or npm audit signatures. For enterprise, consider using a private registry proxy (Verdaccio, JFrog Artifactory) with allowlisting.
7. Forensic Timeline and RAT Self‑Destruct Evasion
The attacker staged payloads 18 hours before publishing and released both malicious versions within 39 minutes. The `postinstall` script typically downloads the RAT, executes it, then removes the script and the fake package folder.
Step‑by‑step recovery of deleted artifacts (Linux):
If the attack happened recently, you might recover the `postinstall` script from disk or memory:
Use grep on the raw disk block (unmount if possible) sudo grep -a -A 50 -B 5 "plain-crypto-js" /dev/sda1 > recovered_script.txt Check bash history for any wget/curl commands executed during npm install cat ~/.bash_history | grep -E "curl|wget|https?://"
On Windows, use `recuva` or `FTK Imager` to carve deleted files from `%temp%` and %appdata%\npm-cache. The RAT may have used `rundll32` or `regsvr32` to execute – check Windows Event Logs (Event ID 4688 for process creation):
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$<em>.Message -like "rundll32" -or $</em>.Message -like "plain-crypto"}
What Undercode Say
- Key Takeaway 1: Supply chain attacks no longer need to hide malicious code in the primary package – injecting a single, self‑destructing dependency can achieve full system compromise while bypassing static analysis.
- Key Takeaway 2: Manual publication bypassing CI/CD is a critical control failure. Organizations must enforce MFA on package registries, require provenance, and monitor for unexpected version releases.
The Axios incident is a textbook example of surgical, low‑noise compromise. The attacker understood the trust model of npm: maintainer credentials are the ultimate keys to the kingdom. Even with GitHub Actions in place, a single manual override nullified all pipeline protections. This attack will likely trigger a wave of similar “dependency‑in‑dependency” backdoors because postinstall scripts remain a powerful, often overlooked vector. The self‑destruct feature makes incident response extremely difficult – by the time a team realizes they are compromised, the installer has already deleted itself. Organizations should immediately scan for `plain-crypto-js` and any unknown postinstall scripts, and consider blocking all postinstall execution in production via `npm install –ignore-scripts` (while auditing dev environments separately).
Prediction
This breach will accelerate the adoption of package signing and runtime dependency sandboxing. Within 12 months, npm will likely deprecate `postinstall` scripts for production dependencies or require explicit opt‑in. We also predict a rise in “credential swarming” attacks – where attackers rotate maintainer emails and push multiple malicious versions across different popular packages in coordinated waves. The line between open‑source convenience and supply chain risk has permanently shifted; organizations that do not implement real‑time dependency mirroring with allowlists will face recurring incidents of this magnitude.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Netanelrubin Breaking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


