Threat Research Center High Profile Threats Malware Malware Threat Brief: Widespread Impact of the Axios Supply Chain Attack 8 min read Related Products Advanced DNS Security Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Unit 42 Published: April 1, 2026 Categories: High Profile Threats Malware Tags: API attacks JavaScript Supply chain Trojan Share Executive Summary Unit 42 researchers have observed widespread impact from the significant supply chain attack targeting the Axios JavaScript library. The attack occurred after an Axios maintainer's npm account was hijacked, leading to the release of malicious updates (versions v1.14.1 and v0.30.4). These compromised versions introduced a hidden dependency called plain-crypto-js . This dependency is a cross-platform remote access Trojan (RAT) capable of affecting Windows, macOS and Linux systems. The malware was designed to perform reconnaissance and establish persistence, with an added feature to self-destruct for evasion. Axios is a popular, promise-based HTTP client library for JavaScript, used to make API requests in browsers and Node.js. It features automatic JSON data transformation, request/response interception and request cancellation, making it a standard tool for connecting frontend apps to backend services. Analysis of malware that the attackers used overlaps with operations previously reported to involve the Democratic People’s Republic of Korea (DPRK). This campaign has affected the following sectors in the U.S., Europe, Middle East, South Asia and Australia: Business services Customer Service Financial services High tech Higher education Insurance Media and entertainment Medical equipment Professional and legal services Retail services This article recommends a number of mitigations for the attack . Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services: Advanced URL Filtering and Advanced DNS Security Cortex Cloud Cortex XDR and XSIAM The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Related Unit 42 Topics Supply Chain , High Profile Threats Details of the Axios Supply Chain Attack The attacker published two compromised versions of Axios (v1.14.1 and v0.30.4) but they did not modify any of the Axios source code. Instead, they injected plain-crypto-js@4.2.1 into the package.json file as a runtime dependency. The Postinstall Dropper With compromised versions of Axios, when a developer runs npm install axios , npm automatically resolves the dependency tree and installs plain-crypto-js . This triggers npm's postinstall lifecycle hook, executing a heavily obfuscated Node.js dropper script named setup.js in the background. To obfuscate its operations, setup.js uses a two-layer encoding scheme involving string reversal, Base64-decoding and an XOR cipher using the key OrDeR_7077 . Fetching Platform-Specific Payloads The dropper queries the operating system and sends an HTTP POST request to a command-and-control (C2) server at sfrclak[.]com:8000 . To make this outbound traffic look like benign npm registry requests, it appends platform-specific paths: packages.npm[.]org/product0 for macOS packages.npm[.]org/product1 for Windows packages.npm[.]org/product2 for Linux Figure 1 shows the commands for this first-stage download. Figure 1. First stage download per platform. Execution of the RAT The C2 server delivers a different payload depending on the victim's operating system: macOS : The dropper uses AppleScript to download a C++ compiled Mach-O binary, saves it to /Library/Caches/com.apple.act.mond , makes it executable and launches it silently via /bin/zsh . Windows : The dropper copies the Windows PowerShell binary to %PROGRAMDATA%\wt.exe , disguising it as the Windows Terminal application. It then uses VBScript to fetch and execute a secondary PowerShell RAT script. It also establishes persistence via a registry Run key. Linux : The dropper uses the Node.js execSync command to download a Python RAT script to /tmp/ld.py , running it in the background using the nohup command. Unified RAT Architecture Despite being written in three different languages (C++, PowerShell and Python), all three payloads function as implementations of the same RAT framework. They all use an identical C2 protocol, send Base64-encoded JSON data over an HTTP POST request and beacon to the server every 60 seconds. The C2 server accepts the same four commands from the attacker: kill (self-terminate) runscript (execute shell/script commands) peinject (drop and execute binary payloads) rundir (enumerate directories) All the RAT variants use a hard-coded, highly anachronistic user-agent string spoofing Internet Explorer 8 on Windows XP: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0 . Overlap With WAVESHAPER Initial analysis of the payload confirms significant overlap with WAVESHAPER . WAVESHAPER is a C++ backdoor that communicates with its C2 server using the curl library, employing either HTTP or HTTPS as specified in the command-line arguments. The C2 server's address is also provided via command-line parameters, allowing the backdoor to download and execute arbitrary payloads from the adversary's infrastructure. WAVESHAPER also runs as a daemon by forking itself into a child process that runs in the background, detached from the parent session. It collects the returned system information, which is sent to the C2 server in an HTTP POST request. Forensic Cleanup The entire process from installation to compromise takes roughly 15 seconds. Upon successfully launching the payload, the Node.js dropper performs aggressive anti-forensic cleanup. It deletes the setup.js file, removes the postinstall hook and replaces the tampered package.json with a clean decoy file named package.md . This ensures that developers inspecting their node_modules folders after the installation will find no obvious signs of malicious code. Unit 42 Managed Threat Hunting Queries The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this situation across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation. // Title: Compromised Axios npm package version (1.14.1 and 0.30.4) C2 on Command Line // Description: First stage of activity once a compromised endpoint runs the affected axios package is for the dropper scripts to call out to their C2 domain sfrclak[.]com // MITRE ATT&CK TTP ID: T1105 config case_sensitive = false | dataset = xdr_data | fields _time, event_type, event_sub_type, event_id, agent_hostname, agent_id, action_process_image_command_line, actor_process_command_line | filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and action_process_image_command_line ~= "(?:\bsfrclak\.com\b)" | comp values(action_process_image_command_line) as action_process_image_command_line, values(actor_process_command_line) as actor_process_command_line by _time, agent_hostname, agent_id 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 // Title: Compromised Axios npm package version (1.14.1 and 0.30.4) C2 on Command Line // Description: First stage of activity once a compromised endpoint runs the affected axios package is for the dropper scripts to call out to their C2 domain sfrclak[.]com // MITRE ATT&CK TTP ID: T1105 config case_sensitive = false | dataset = xdr_data | fields _time , event_type , event_sub_type , event_id , agent_hostname , agent_id , action_process_image_command_line , actor_process_command_line | filter event_type = ENUM . PROCESS and event_sub_type = ENUM . PROCESS_START and action_process_image_command_line ~ = "(?:\bsfrclak\.com\b)" | comp values ( action_process_image_command_line ) as action_process_image_command_line , values ( actor_process_command_line ) as actor_process_command_line by _time , agent_hostname , agent_id // Title: Compromised Axios npm package version (1.14.1 and 0.30.4) Malicious plain-crypto-js package directory // Description: The malicious package is actually plain-crypto-js, this looks for directory creation events for that package name within a node_modules folder // MITRE ATT&CK TTP ID: T1204.005 config case_sensitive = false | dataset = xdr_data | fields _time, event_type, event_sub_type, event_id, agent_hostname, agent_id, action_file_path, actor_process_command_line | filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_DIR_CREATE, ENUM.FILE_DIR_WRITE, ENUM.FILE_DIR_RENAME) and lowercase(action_file_path) ~= "(?:\bnode_modules[\\\/]plain-crypto-js\b)" | comp values(action_file_path) as action_file_path, values(actor_process_command_line) as actor_process_command_line by _time, agent_hostname, agent_id 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 // Title: Compromised Axios npm package version (1.14.1 and 0.30.4) Malicious plain-crypto-js package directory // Description: The malicious package is actually plain-crypto-js, this looks for directory creation events for that package name within a node_modules folder // MITRE ATT&CK TTP ID: T1204.005 config case_sensitive = false | dataset = xdr_data | fields _time , event_type , event_sub_type , event_id , agent_hostname , agent_id , action_file_path , actor_process_command_line | filter event_type = ENUM . FILE and event_sub_type in ( ENUM . FILE_DIR_CREATE , ENUM . FILE_DIR_WRITE , ENUM . FILE_DIR_RENAME ) and lowercase ( action_file_path ) ~ = "(?:\bnode_modules[\\\/]plain-crypto-js\b)" | comp values ( action_file_path ) as action_file_path , values ( actor_process_command_line ) as actor_process_command_line by _time , agent_hostname , agent_id // Title: Compromised Axios npm package version (1.14.1 and 0.30.4) File Indicators // Description: Upon installation of the compromised axios package via npm, the postin