BREAKING: Axios npm Package Backdoored – 83M Weekly Downloads Compromised in Surgical Supply Chain Attack + Video

Listen to this Post

Featured Image

Introduction

On March 31, 2026, the widely used Axios HTTP client (83 million weekly downloads) was compromised when an attacker obtained a lead maintainer’s npm credentials, swapped the account email to a ProtonMail address, and manually published two malicious versions (1.14.1 and 0.30.4). Instead of modifying Axios directly, the attacker injected a fake dependency, [email protected], whose postinstall script deploys a cross-platform Remote Access Trojan (RAT) on macOS, Windows, and Linux – then self-destructs to evade forensic analysis.

Learning Objectives

  • Identify compromised Axios versions and detect the `plain-crypto-js` dependency in your environment.
  • Execute forensic commands to uncover RAT persistence and artifacts on Linux and Windows.
  • Implement supply chain hardening measures including npm token rotation, CI/CD pipeline controls, and dependency pinning.

You Should Know

  1. Identifying Compromised Axios Versions and the Malicious Dependency

The attack published `[email protected]` and `[email protected]` directly to npm, bypassing the project’s GitHub Actions CI/CD. The malicious code lives not in Axios but in a fake dependency: [email protected]. This package runs a `postinstall` script that downloads and executes a pre‑built RAT.

Step‑by‑step detection:

  • Check your `package-lock.json` or `yarn.lock` for the presence of plain-crypto-js:
    Linux / macOS / Git Bash
    grep -i "plain-crypto-js" package-lock.json
    grep -i "plain-crypto-js" yarn.lock
    
    Windows (PowerShell)
    Select-String -Path package-lock.json -Pattern "plain-crypto-js"
    

  • List all installed Axios versions (run inside your project root):

    npm list axios
    or
    yarn list axios
    

  • If you see version 1.14.1 or 0.30.4, assume compromise. Also check for any dependency that includes plain-crypto-js:

    npm ls plain-crypto-js
    

  • Inspect the `postinstall` script of any suspicious package (if still present):

    Extract and examine
    cat node_modules/plain-crypto-js/package.json | grep postinstall
    cat node_modules/plain-crypto-js/install.js  or the actual script file
    

2. RAT Payload Extraction and Self‑Destruct Analysis

The attacker pre‑staged three OS‑specific payloads 18 hours in advance. The `postinstall` script determines the OS, fetches the appropriate RAT, executes it, and then deletes itself.

Step‑by‑step forensic reconstruction:

  • Simulate the download (safe, isolated environment) – do not run on production:
    Use a sandbox or VM
    docker run --rm -it node:18 bash
    npm install [email protected]
    

  • Capture network traffic to see the payload URL (example, but actual domains vary):

    sudo tcpdump -i eth0 -w rat_capture.pcap
    Then trigger the install in another terminal
    

  • On Linux, look for post‑execution artifacts – the RAT may have installed a systemd service or cron job:

    Check for new services
    systemctl list-units --type=service --all | grep -i "rat|unknown"
    Check user crontab
    crontab -l
    Check systemd timers
    systemctl list-timers
    

  • On Windows, use PowerShell to scan for suspicious scheduled tasks and startup entries:

    Get-ScheduledTask | Where-Object {$<em>.TaskName -like "rat" -or $</em>.TaskPath -like "unknown"}
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
    Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
    

3. Post‑Exploitation: Rotating Secrets and Credentials

If you ran either affected version, assume full system compromise. The RAT can exfiltrate environment variables, `.env` files, SSH keys, cloud tokens, and npm credentials.

Step‑by‑step emergency rotation (execute in this order):

1. Revoke and regenerate all npm tokens:

npm token list
npm token revoke <token-id>
npm token create
  1. Rotate cloud provider keys (AWS, GCP, Azure, etc.):
    AWS example
    aws iam create-access-key --user-name <your-user>
    aws iam delete-access-key --access-key-id <old-key> --user-name <your-user>
    

3. Regenerate SSH keys (on Linux/macOS):

rm ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
ssh-keygen -t rsa -b 4096 -C "[email protected]"

On Windows (PowerShell as Admin):

Remove-Item $env:USERPROFILE.ssh\id_rsa
ssh-keygen -t rsa -b 4096 -C "[email protected]"
  1. Rotate all API keys, database passwords, and any secrets stored in environment variables. Use a secrets manager like HashiCorp Vault or at least a password manager to generate new random strings.

4. Pinning Safe Versions and Hardening npm Workflows

The safe versions are `[email protected]` (for 1.x users) and `[email protected]` (for 0.x users). Do not simply update to the latest – pin explicitly.

Step‑by‑step mitigation:

  • Update your `package.json` to pin the safe version:
    {
    "dependencies": {
    "axios": "1.14.0"
    }
    }
    

Then run:

rm -rf node_modules package-lock.json
npm cache clean --force
npm install
  • Prevent future automatic updates to malicious versions by using `npm shrinkwrap` or overrides:
    // In package.json
    "overrides": {
    "axios": "1.14.0"
    }
    

  • Enable `npm audit` and CI integration:

    npm audit --production
    

Add to GitHub Actions:

- name: npm audit
run: npm audit --production --audit-level=high
  1. Detecting the Axios RAT with YARA and Endpoint Scanners

The attacker pre‑built three payloads. While the postinstall script self‑destructs, the RAT binary may remain or have persistence mechanisms.

Step‑by‑step YARA rule for Linux RAT (example signature based on known indicators):

rule axios_rat_linux {
meta:
description = "Detects RAT deployed by plain-crypto-js postinstall"
date = "2026-04-03"
strings:
$s1 = "axios_rat_main" ascii
$s2 = "plain-crypto-js" ascii
$hex1 = { 6A 00 68 00 01 00 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? } // partial socket code
condition:
any of ($s) or $hex1
}

Run YARA on Linux:

yara -r axios_rat.yara /usr/bin /usr/local/bin /opt

On Windows, use Sysinternals Autoruns and Process Explorer:

 List all running processes and check for unknown binaries
Get-Process | Where-Object {$<em>.Path -like "temp" -or $</em>.Path -like "roaming"}
 Check for network connections to suspicious IPs
netstat -ano | findstr "ESTABLISHED"

6. CI/CD Pipeline Hardening Against Maintainer Account Takeover

The attack succeeded because the maintainer’s npm credentials were compromised and the pipeline’s normal CI/CD (GitHub Actions) was bypassed entirely. Manual publish should be impossible or require MFA.

Step‑by‑step hardening:

  • Require two‑factor authentication (2FA) on npm for all maintainers. Enforce with `npm profile set –enable-two-factor-auth` and require it for publishing:
    npm profile set two-factor-auth "auth-and-writes"
    

  • Use `publishConfig` in `package.json` to restrict publishing to CI only:

    "publishConfig": {
    "access": "public",
    "registry": "https://registry.npmjs.org",
    "tag": "latest",
    "provenance": true
    }
    

  • Configure GitHub Actions to prevent manual publish overrides – use environment protection rules and require a specific runner:

    name: Publish to npm
    on:
    release:
    types: [bash]
    jobs:
    publish:
    runs-on: ubuntu-latest
    environment: npm-publish  requires approval
    steps:</p></li>
    <li><p>run: npm publish --provenance
    

  • Monitor npm account activity – use webhooks or npm audit signatures. For enterprise, consider using a private registry proxy (Verdaccio, JFrog Artifactory) with allowlisting.

7. Forensic Timeline and RAT Self‑Destruct Evasion

The attacker staged payloads 18 hours before publishing and released both malicious versions within 39 minutes. The `postinstall` script typically downloads the RAT, executes it, then removes the script and the fake package folder.

Step‑by‑step recovery of deleted artifacts (Linux):

If the attack happened recently, you might recover the `postinstall` script from disk or memory:

 Use grep on the raw disk block (unmount if possible)
sudo grep -a -A 50 -B 5 "plain-crypto-js" /dev/sda1 > recovered_script.txt

Check bash history for any wget/curl commands executed during npm install
cat ~/.bash_history | grep -E "curl|wget|https?://"

On Windows, use `recuva` or `FTK Imager` to carve deleted files from `%temp%` and %appdata%\npm-cache. The RAT may have used `rundll32` or `regsvr32` to execute – check Windows Event Logs (Event ID 4688 for process creation):

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$<em>.Message -like "rundll32" -or $</em>.Message -like "plain-crypto"}

What Undercode Say

  • Key Takeaway 1: Supply chain attacks no longer need to hide malicious code in the primary package – injecting a single, self‑destructing dependency can achieve full system compromise while bypassing static analysis.
  • Key Takeaway 2: Manual publication bypassing CI/CD is a critical control failure. Organizations must enforce MFA on package registries, require provenance, and monitor for unexpected version releases.

The Axios incident is a textbook example of surgical, low‑noise compromise. The attacker understood the trust model of npm: maintainer credentials are the ultimate keys to the kingdom. Even with GitHub Actions in place, a single manual override nullified all pipeline protections. This attack will likely trigger a wave of similar “dependency‑in‑dependency” backdoors because postinstall scripts remain a powerful, often overlooked vector. The self‑destruct feature makes incident response extremely difficult – by the time a team realizes they are compromised, the installer has already deleted itself. Organizations should immediately scan for `plain-crypto-js` and any unknown postinstall scripts, and consider blocking all postinstall execution in production via `npm install –ignore-scripts` (while auditing dev environments separately).

Prediction

This breach will accelerate the adoption of package signing and runtime dependency sandboxing. Within 12 months, npm will likely deprecate `postinstall` scripts for production dependencies or require explicit opt‑in. We also predict a rise in “credential swarming” attacks – where attackers rotate maintainer emails and push multiple malicious versions across different popular packages in coordinated waves. The line between open‑source convenience and supply chain risk has permanently shifted; organizations that do not implement real‑time dependency mirroring with allowlists will face recurring incidents of this magnitude.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Netanelrubin Breaking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky