A supply chain attack led to a remote access Trojan being quietly installed on developer devices around the world. We had it in our collection within hours — here’s our full response, and what you should do now.
- axios@1.14.1 and axios@0.30.4 were deployed via a hijacked admin account on npm
- They silently install plain-crypto-js@4.2.1, a RAT dropper that filters your secrets
- The malicious versions remained active for approximately 2 hours on March 31, 2026 UTC
- Downgrade to axios@1.14.0 or axios@0.30.3 immediately and reset all credentials
- We reviewed every project in our company, notified customers, and ran a full credential rotation
What actually happened
On March 31, 2026, attackers deployed two poisoned versions of axios — one of the most downloaded npm packages on the planet, with more than 100 million weekly installs — to the npm registry.
This was not a typo or a rogue fork. Attacker npm account hijacked to One of the main hub supervisors. They changed the registered email to an anonymous ProtonMail address and manually pushed the malicious versions via the npm CLI – completely bypassing the project’s normal GitHub Actions CI/CD pipeline. There are no corresponding GitHub tags. There are no SLSA source certificates. There are no changes in the source code. The only modification in the entire package was a single newline package.json: Dependency plain-crypto-js@4.2.1.
What makes this attack bad?
The Axios source code is not touched upon. Traditional diff-based code review will not be able to understand it. The attack was invisible unless you were looking for new, unexpected dependencies.
Attack timeline
- March 30, 2026 – 05:57 UTC
Posts the attacker plain-crypto-js@4.2.0a clean copy of the legitimate crypto-js library. Zero malicious code. Purpose: To create a publishing log to fool automated scanners.
- March 30, 2026 – 23:59 UTC
Harmful plain-crypto-js@4.2.1 published. Contains opaque RAT dropper setup.js. Automated outlet detection flags it within 6 minutes.
- March 31, 2026 – 00:21 UTC
axios@1.14.1 Posted via the hacked admin account. Inject plain-crypto-js@4.2.1 As a runtime dependency.
- March 31, 2026 – 01:00 UTC
axios@0.30.4 published. Both 1.x and 0.x branches are poisoned within 39 minutes of each other – increasing the blast radius to the maximum.
- March 31, 2026 – 03:29 UTC
Malicious versions of npm have been removed after StepSecurity and Socket were detected. But anyone ran npm install In that roughly 3-hour window, she would likely be vulnerable.
An 18-hour head start starts with clean seeding plain-crypto-js@4.2.0 This was intentional: most automated security scanners look for brand-new packages with no deployment history. By the time the malicious version appeared, the account appeared credible.
What malware actually does
when npm install It works, npm resolves the dependency tree, and pulls plain-crypto-js@4.2.1and executes it automatically postinstall Hook: node setup.js. That’s it. This is the moment of compromise.
Dropper in setup.js It uses two layers of obfuscation – Base64 inverse with padding replacement, followed by XOR encryption – before reaching the C2 server on sfrclak(.)com:8000 (intellectual property: 142.11.206.73) to download the platform-specific Phase 2 RAT.
After execution, it covers its tracks: it deletes itself, removing the file package.json Includes post hook, replaces it with a clean snare. Inspection node_modules/plain-crypto-js After that it seems completely innocent – unless you know that the folder shouldn’t be there at all.
MacOS artifactR
/Library/Caches/com.apple.act.mond
Linux artifact
/tmp/ld.py
Windows artifact
%PROGRAMDATA%wt.exe
C2 leveling indicators
Block and review outgoing connections to sfrclak(.)com And intellectual property142.11.206.73On port 8000. If any device shows this traffic in the network logs, assume full compromise.
Who is in danger?
The risks are highest if any of the following apply to your environment between 00:21 UTC and 03:29 UTC on 31 March 2026:
- CI/CD pipelines that do not install and run dependency versions
npm installOn a schedule or commitment - Developers who ran
npm installornpm updateIn that window - Projects that use caret ranges (
^1.14.0or^0.30.0) in package.json — these automatically pull the latest minor/patch version - Anyone pulls
@shadanai/openclawor@qqbrowser/openclaw-qbot@0.0.130– Secondary packages that sell the same load
If your lock file was executed before malicious versions were deployed and your installation has not updated it, you will not be affected. But check before you assume.
How we responded at our company
Our incident response, step by step
Step 1
Prompt audit of all projects. We reached out to each technical lead the moment the alert arrived. The question was obvious: check Axios versions on every project you now own – get it running cat package-lock.json | grep axios or npm list axios And report back. No exceptions, no “we’ll get to it later.”
Step 2
Check for malicious dependency. Prospects in the technology space were also asked to run npm list plain-crypto-js In every project and every active development device. Any output at all = affected.
Step 3
Customer Notice – Before Correction. We have proactively contacted our customers. We told them what happened, what we were checking, what the risk window was, and what we were doing. Transparency first. This is important for trust, and in some cases is contractually required.
Step 4
Debugging and then building. The classification of affected projects has been downgraded to axios@1.14.0 (for 1.x) or axios@0.30.3 (for 0.x), lock files updated, plain-crypto-js Manually remove the directory from Node_modules, then do a clean reinstall using npm install --ignore-scripts. Only after a clean, verified build do we upgrade to any environment.
Step 5
Rotate credentials for any potentially compromised devices. Any newly turned on development device or CI driver npm install In the Risks window: All .env values, AWS keys, npm tokens, SSH keys, and CI secrets are rotated immediately. Don’t assume you’re safe — pivot anyway.
Step 6
Network log audit. The network logs were checked for any outgoing connections to sfrclak.com or 142.11.206.73. Nothing was found – but verification was non-negotiable.
Your treatment checklist
1.Review each project for the affected version
Being npm list axios Or grep the lock file. Any project showing 1.14.1 or 0.30.4 needs immediate action.
2. Look for harmful dependencies
npm list plain-crypto-js – If nothing is printed (other than blank), the dropper has been triggered.
3. Revert to the previous version and do a clean install
npm install axios@1.14.0 (or 0.30.3). then npm install --ignore-scripts To prevent post-installation scripts from running.
4. Check for RAT files on each device
Mac:ls /Library/Caches/com.apple.act.mond Linux: ls /tmp/ld.py Windows: Test-Path "$env:ProgramDatawt.exe"
5. Reset all credentials on affected devices
All .env secrets, AWS/GCP/Azure keys, npm tokens, SSH keys, and CI secrets. Don’t wait. Rotate even if you’re not sure.
6.Audit network logs for C2 connections
Blocking and scanning for sfrclak(.)com and 142.11.206.73:8000. Any result = full machine settlement is assumed.
Block next
This attack succeeded because trust in the open source supply chain is implicit. The package posted under the admin account looks legitimate. We need to break this assumption once and for all.
Strengthen your CI/CD now
Always running
npm install --ignore-scriptsIn CI environments. This blocks post-installation scripts – the exact mechanism used to spread this RAT. For production lock files, stick with them and check them – never rely on floating scopes such as^1.14.0In high-risk environments. Consider using a tool like Switch, Snyk, or StepSecurity to monitor your supply chain in real time.
Require copyrighted npm accounts to use hardware MFA – not TOTP – and review your team’s npm token cleanliness. Long-lived classical codes (a potential attack vector here) should be rotated for granular automation codes with limited scope.
Final thought
Supply chain attacks are not going away. the Axios The incident follows the same playbook used against Chalk, Debug, and the Shai-Hulud npm worm in late 2025. Pattern: Administrator account compromised, poisoned version deployed, exploiting implicit ecosystem trust in registered packages.
The only real defense is layered: pinning versions, checking the source, blocking post-install scripts in CI, monitoring new unexpected dependencies, and Have an incident response plan before you need one. We had ours. That’s why we can move quickly.
If you found this helpful, share it with your team leaders. People who need this don’t always read security blogs, they create features and may not know their features npm install This morning the RAT dropped.
