The compromise of the axios npm package on March 31, 2026, represents a significant escalation in supply chain attacks targeting the JavaScript ecosystem. According to analysis from Socket.dev and Google Threat Intelligence, the attack originated from the takeover of the official axios npm account belonging to a primary maintainer. This allowed the threat actor, tracked as UNC1069 (a North Korea-nexus actor), to publish malicious versions 1.14.1 and 0.30.4 directly to the registry. These versions included a new "phantom" dependency named plain-crypto-js, which served as a delivery vehicle for a sophisticated multi-stage payload.

Cyber Safety

Cyber Safety

Welcome to Cyber-safety, your trusted resource for cutting-edge cybersecurity information and solutions.

Technical Execution and Stealth

The technical execution of the malware, identified by researchers as WAVESHAPER.V2, is notable for its cross-platform compatibility and evasion techniques. Snyk and Elastic Security Labs report that the infection follows a specific lifecycle:

  1. Postinstall Trigger: When a developer runs npm install, the plain-crypto-js package executes a postinstall hook that runs an obfuscated script, setup.js (tracked as SILKBELL).

  2. OS-Specific Payloads: The dropper fingerprints the host and pulls a second-stage Remote Access Trojan (RAT) tailored to the operating system: a Mach-O binary for macOS, a PowerShell script for Windows, or a Python backdoor for Linux.

  3. Command and Control (C2): The RAT beacons every 60 seconds to sfrclak[.]com on port 8000, supporting commands for directory enumeration, file exfiltration, and shell execution.

  4. Anti-Forensic Cleanup: To evade detection, the malware deletes its own installation files and replaces the malicious package.json with a clean decoy (package.md), making the infected library appear normal upon inspection.

Immediate Mitigation Actions

If your environment or CI/CD pipelines ran npm install in the hours leading up to 03:20 UTC on March 31, 2026, you must treat affected systems as compromised.

  • Rollback and Audit: Downgrade immediately to safe versions [email protected] or [email protected]. Audit your project lockfiles for the presence of plain-crypto-js or malicious versions of axios.

  • Secret Rotation: Because the malware targets environment variables and local configs, rotate all cloud access keys (AWS/Azure/GCP), database passwords, SSH keys, and GitHub Personal Access Tokens (PATs).

  • Cache Remediation: Clear local and shared npm caches (npm cache clean --force) to prevent re-infection during subsequent installs.

  • Network Defense: Block all outbound traffic to the known C2 domain sfrclak[.]com and IP 142.11.206.73.

Preventive Actions for Long-Term Security

  • Pin Safe Versions with Lockfiles and Clean Installs: Use package-lock.json to pin known-safe dependency versions, and always perform clean installs (npm ci) in both development and CI pipelines to avoid pulling in compromised updates.

  • Disable Install Scripts by Default: Prevent execution of postinstall and similar hooks using npm install --ignore-scripts or npm config set ignore-scripts true, since they are a primary entry point for supply chain attacks.

  • Use Sandboxed Development Environments: Run dependency installs and development workflows inside isolated environments such as devcontainers or ephemeral containers to limit the impact of malicious code execution.

  • Introduce a Cooldown period for New Packages: Delay adoption of newly published or updated packages by 24–72 hours to reduce exposure to freshly weaponized dependencies.

  • Clear Package Manager Caches: Remove cached packages from npm, yarn, and pnpm on developer machines and build systems to prevent reinstalling compromised artifacts.

  • Strengthen Maintainer and Token Security: Enforce 2FA, prefer short-lived tokens, and regularly rotate credentials to reduce the risk of account takeover, the root cause of the Axios attack.

  • Deploy Endpoint and Runtime Monitoring: Use EDR solutions to detect suspicious processes, especially unexpected executions originating from Node.js during installs or builds.

  • Improve Secret Management Practices: Store sensitive credentials in secure vaults or OS keychains instead of plaintext files or environment variables to reduce the risk of automated exfiltration.

  • Prepare for Rapid Incident Response: If indicators such as plain-crypto-js are detected, assume full compromise, rebuild systems from a known-good state, and immediately rotate all credentials and tokens.

Sources

https://www.tenable.com

https://cloud.google.com

https://socradar.io

https://www.elastic.co

https://socket.dev

https://www.microsoft.com

https://thehackernews.com

Keep Reading

© 2026 Updated Dev.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv