VibeAudits
SecurityBlog Post

Axios npm Supply Chain Attack (31 March 26): What Happened, Who's Affected

A compromised maintainer account led to malicious axios versions (1.14.1 and 0.30.4) being published to npm, injecting a RAT dropper into one of the most downloaded packages on the internet. Here's the full breakdown and what you need to do today.

March 31, 2026
1 min read
Axios npm Supply Chain Attack (31 March 26): What Happened, Who's Affected

100 Million Weekly Downloads. One Compromised Account. Total Supply Chain Breach.

On March 30, 2026, an attacker hijacked the npm account of axios lead maintainer jasonsaayman, changed the account email to a ProtonMail address, and manually published two poisoned versions of axios: 1.14.1 and 0.30.4.

axios has roughly 100 million weekly downloads. It sits in the dependency tree of virtually every Node.js application that makes HTTP requests. This was not a niche attack. This was infrastructure-grade compromise.

How the Attack Worked

The attacker did not modify axios source code directly. Instead, they added a hidden dependency called plain-crypto-js@4.2.1, a package that was created minutes before the malicious axios releases and was never imported anywhere in the axios codebase.

Its only job: run a postinstall script.

That script was a heavily obfuscated two-layer dropper. Layer one reversed strings and decoded base64. Layer two applied XOR decryption with a key derived from the string "OrDeR_7077". The final payload phoned home to a C2 server at sfrclak.com:8000, identified the victim's operating system, and downloaded a platform-specific Remote Access Trojan.

The RAT payloads by platform:

  • macOS: AppleScript downloaded a binary to /Library/Caches/com.apple.act.mond, made it executable, and ran it silently in the background.
  • Windows: Copied powershell.exe to %PROGRAMDATA%\wt.exe, used VBScript plus hidden PowerShell to fetch and execute a .ps1 script from the C2, then deleted all temp artifacts.
  • Linux: Used curl to drop a Python RAT at /tmp/ld.py and ran it with nohup python3.

After execution, the dropper deleted itself, removed the malicious package.json, and replaced it with a clean version staged beforehand. Full forensic evasion baked in from the start.

Why This Bypassed Normal Safeguards

The publish happened directly through the npm CLI using the compromised maintainer's credentials. It completely bypassed the project's GitHub Actions CI/CD pipeline. There were no corresponding GitHub tags for versions 1.14.1 or 0.30.4. If you only watched the GitHub repo, you saw nothing.

This is the core problem with npm's trust model: publish access is tied to individual accounts, not to verified CI pipelines.

Detection and Response

Socket Security and StepSecurity independently flagged the malicious versions within minutes using automated scanning. The npm security team acted fast: both poisoned axios versions and plain-crypto-js@4.2.1 were yanked from the registry and replaced with security-holder stubs.

Two other packages distributing the same malware were also identified: @shadanai/openclaw (a vendored copy) and @qqbrowser/openclaw-qbot@0.0.130 (which shipped the tampered axios inside its own node_modules).

The latest safe version is axios@1.14.0.

What You Need to Do Right Now

  1. Pin axios to 1.14.0 in your package.json. Do not use latest or unpinned ranges.
  2. Audit your lockfiles. Check package-lock.json, yarn.lock, or pnpm-lock.yaml across every environment: dev machines, CI/CD, staging, production containers.
  3. Delete node_modules and reinstall from your lockfile. Do not run a fresh npm install without a verified lockfile.
  4. Search for plain-crypto-js, @shadanai/openclaw, and @qqbrowser/openclaw-qbot in your dependency tree. If any are present, treat the environment as compromised.
  5. Rotate credentials on any machine that ran npm install and pulled the malicious versions. SSH keys, API tokens, cloud credentials, everything.
  6. Set npm config set min-release-age 3 to add a buffer against freshly published packages.

The Bigger Picture

This is the second major npm supply chain attack in six months. In September 2025, the chalk and debug packages (2 billion+ combined weekly downloads) were compromised with a crypto clipper. Before that, the Shai-Hulud worm in 2025. Before that, event-stream, ua-parser-js, colors, faker.

The pattern is always the same: compromised maintainer credentials, a tiny postinstall change, a self-deleting payload.

And now, with AI coding agents running npm install autonomously without lockfile review or human oversight, the attack surface is expanding faster than the ecosystem can defend it.

No package is too popular to trust blindly. Pin your versions. Lock your dependencies. Scan everything.

VibeAudits

Security Experts

Need a Security Audit?

Don't let security vulnerabilities crash your vibe-coded app. Get a professional audit and launch with confidence.