| |

Devastating Axios Supply Chain Attack Unleashed Malware on Developers

ByAdmin

A significant cybersecurity event unfolded on March 30, 2026, when a widely used JavaScript library, Axios, was weaponized in a sophisticated supply chain attack. This incident saw attackers poison the Axios npm package, silently deploying malware onto developer machines running Windows, macOS, and Linux. With Axios boasting over 100 million weekly downloads as the JavaScript ecosystem’s most popular HTTP client, this supply chain attack ranks among the most far-reaching of its kind.

The Anatomy of the Axios Attack

The attack originated with an unauthorized actor gaining control of the npm account belonging to Jason Saayman, the lead maintainer of the Axios project. The attacker covertly swapped the account’s email to a ProtonMail address they controlled, thereby securing full admin-level access. Leveraging a stolen npm access token, the perpetrator manually published two malicious versions: axios@1.14.1 and axios@0.30.4, within a 39-minute window. These poisoned versions targeted both the current and legacy release branches of Axios. Notably, neither of these versions had any corresponding commit, tag, or release in the official Axios GitHub repository, a clear indicator of compromise. GitHub issue #10604 further confirmed the compromised maintainer’s admin permissions.

The Malware’s Deceptive Deployment

Trend Micro researchers Peter Girnus and Jacob Santos conducted an in-depth forensic examination, revealing the full infection chain and the extensive damage. Their analysis confirmed that the threat had infiltrated organizations across critical sectors, including government, finance, healthcare, manufacturing, retail, and technology, with active exploitation observed during the attack window.

Both poisoned Axios versions contained a single, stealthy addition to their package manifest: plain-crypto-js@4.2.1. This ‘phantom dependency’ was never imported or referenced within any of Axios’s 86 source code files. Its sole purpose was to activate npm’s automatic postinstall hook during installation. Upon execution, this hook deployed a cross-platform remote access trojan (RAT) onto the victim’s machine. After the RAT was launched, the malware cunningly deleted its own dropper script and replaced it with a clean decoy, ensuring the node_modules folder appeared completely normal, masking the Axios attack.

Attacker’s Precision and Evasion Tactics

The entire operation was meticulously staged over approximately 18 hours. The attacker initially published a benign decoy version of plain-crypto-js to establish registry history and avoid detection. Hours later, the command-and-control (C&C) server was registered before the malicious payload was finally pushed. This Axios supply chain attack also circumvented GitHub Actions’ OIDC Trusted Publisher safeguards, which typically bind npm releases to verified CI workflows. The attacker bypassed this by publishing manually using a stolen token, leaving no cryptographic binding or gitHead reference in the metadata.

Inside the RAT Dropper

The dropper script, named setup.js, employed a sophisticated two-layer obfuscation system to elude automated scanners. The inner layer utilized a custom XOR cipher with the key “OrDeR_7077” and a quadratic index pattern to scramble character-access sequences. The outer layer reversed encoded strings, restored base64 padding, and then passed the result through the inner cipher. All module names for critical functions like file system access, shell execution, and platform detection were dynamically decoded at runtime via require() calls, rendering them invisible to static analysis tools.

Once active, the dropper identified the operating system and launched a tailored payload:

  • macOS: Fetched a binary via AppleScript, saving it to a path mimicking an Apple system daemon.
  • Windows: Employed a VBScript launcher to run a PowerShell RAT entirely in memory, using a renamed PowerShell binary disguised as Windows Terminal (wt.exe), with no payload written to disk.
  • Linux: Downloaded a Python RAT and launched it as a detached background process, orphaned to PID 1, ensuring its persistence beyond the npm install session.

The C&C server, sfrclak[.]com, was registered just eight hours before the payload went live, indicating a disposable infrastructure strategy designed to limit the attacker’s exposure, a hallmark of this type of sophisticated Axios attack.

Urgent Mitigation and Recommendations

Developers who installed the affected versions of Axios during this critical period must take immediate action:

  • Pin Dependencies: Immediately pin Axios to axios@1.14.0 or axios@0.30.3.
  • Remove Malicious Package: Delete the plain-crypto-js directory from your node_modules folder.
  • System Rebuild: Any system where RAT artifacts are discovered should be rebuilt from a known-good state, not merely cleaned in place.
  • Credential Rotation: All credentials accessible during the exposure window—including npm tokens, cloud keys, CI/CD secrets, and SSH keys—must be rotated without delay.

For proactive defense against future supply chain attacks, consider these best practices:

  • CI/CD Security: Utilize npm ci --ignore-scripts in CI/CD pipelines. This blocks postinstall hooks, effectively removing the core execution path this Axios attack relied upon.
  • Network Blocking: Block the C&C server sfrclak[.]com at the network level.

Similar Posts