DEV Community

0n
0n

Posted on • Originally published at 0nmcp.com

How I Would Have Stopped the March 2026 Axios Supply Chain Attack (Free Tool Inside)

#security #npm #opensource #ai

On March 31, 2026, attackers published compromised versions of axios — npm's most downloaded HTTP client — containing a Remote Access Trojan hidden in a transitive dependency. The payload exfiltrated environment variables, SSH keys, and API credentials from every developer who ran npm install.

I run an MCP server with API keys for 55 connected services. When I saw the advisory, I realized how exposed the entire AI tool ecosystem is to supply chain attacks.

So I built 0nDefender.

The Key Insight: Timing

Most security tools scan AFTER packages are installed. The axios attack used a postinstall script — by the time your scanner runs, the malicious code has already executed.

0nDefender's core mechanism is a preinstall hook. It runs BEFORE npm resolves, downloads, or installs anything.

{
  "scripts": {
    "preinstall": "npx 0nmcp@latest defender scan --lockfile"
  }
}
Enter fullscreen mode Exit fullscreen mode

The hook reads package-lock.json, cross-references against known malicious versions, pattern-matches against typosquatter names, and blocks anything suspicious.

axios@1.14.1 would have been blocked. plain-crypto-js would never have been downloaded. The RAT would never have executed.

4 Security Layers

0nSeal — The preinstall hook. Prevention at the gate.

0nWatch — Continuous scanning against npm advisory database and GitHub Security Advisories. Every 6 hours.

0nVaultGuard — Health-checks every API key via zero-knowledge probing. Keys never leave your machine. Every 12 hours.

0nAlert — Real-time notifications via email, Slack, or Discord.

Why MCP Servers Are High-Value Targets

If you run a Claude Desktop MCP server, your environment probably contains API keys for AI providers, payment processors, databases, CRMs, email services, and cloud infrastructure. One compromised npm package = access to all of them.

Install in 60 Seconds 

npm install -g 0nmcp
0nmcp engine verify
Enter fullscreen mode Exit fullscreen mode

Add to Claude Desktop config:

{
  "mcpServers": {
    "0nMCP": {
      "command": "npx",
      "args": ["-y", "0nmcp"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Free. Open source. MIT licensed. No sign-up. No telemetry.

Full writeup: 0nmcp.com/secure-claude

Source: github.com/0nork/0nMCP

Built by RocketOpp LLC. Non-funded. Non-seeded. Just building what the ecosystem needs.

Top comments (0)