A software supply chain attack has been identified impacting the widely used axios npm package.
On March 31, 2026, two malicious versions, axios@1.14.1 and axios@0.30.4, were briefly published to the npm registry. These releases introduced a malicious dependency, plain-crypto-js@4.2.1, which executed automatically during installation via an npm postinstall hook.
The attack leveraged a common supply chain technique: introducing a minimal change in a trusted package to pull in a malicious dependency, allowing execution during routine dependency installation processes.
This means any system performing npm install during the exposure window may have executed attacker-controlled code without user interaction.
Technical Analysis
The malicious dependency (plain-crypto-js@4.2.1) functioned as a dropper. Upon installation, it executed a postinstall script that identified the host operating system, contacted attacker-controlled infrastructure (sfrclak[.]com:8000), and retrieved a second-stage payload.
This payload enabled arbitrary command execution, system reconnaissance, data exfiltration, and persistence across Windows, macOS, and Linux environments.
Observed artifacts include outbound connections to the attacker domain, along with platform-specific indicators such as %PROGRAMDATA%\wt.exe on Windows, /tmp/ld.py on Linux, and /Library/Caches/com.apple.act.mond on macOS.
Notably, the malware includes anti-forensics behavior, removing installation traces after execution to evade detection.
Impact Assessment
This is a high-impact supply chain compromise affecting development and build environments rather than traditional production-facing services.
Organizations may be impacted if developer workstations or CI/CD pipelines installed dependencies during the exposure window, particularly where dependency ranges (e.g., ^1.14.0) allowed automatic resolution of the malicious versions.
Because execution occurs during installation, affected systems should be treated as potentially compromised.
Compromised Packages
- axios@1.14.1
- axios@0.30.4
- plain-crypto-js@4.2.1 (malicious dependency introduced via Axios)
Recommended Actions
Organizations using Node.js or JavaScript dependencies should take the following actions immediately:
- Identify exposure by reviewing lockfiles (package-lock.json, yarn.lock, etc.) and CI/CD build logs
- Treat affected systems as compromised if malicious versions were installed and investigate accordingly
- Rebuild environments from a trusted state, reinstalling dependencies using known safe versions
- Rotate credentials and tokens accessible to affected systems (e.g., API keys, npm tokens, CI/CD secrets)
Stay Safe. Stay Secure
OP Innovate Research Team
