On March 31, 2026, two malicious versions of Axios were published to the npm registry through a compromised account. Both versions injected a dependency called plain-crypto-js@4.2.1 that installed a remote access trojan on macOS, Windows, and Linux. The malicious versions were live for about three hours before being removed.
TLDR: The Axios npm compromise wasn't a code vulnerability. Attackers social-engineered the lead maintainer with a cloned company, a convincing Slack workspace, and a fake Microsoft Teams meeting that tricked him into installing a RAT. Open source is being attacked through humans first, not code.
I was spooked
I was spooked a little bit because that night, I installed 1.14.0, not 1.14.1. God damn it, I was very anxious and went straight to checking the current version in my lockfile of my Inner Anchor.
If you're not sure, check yours:
grep -E "axios@(1\.14\.1|0\.30\.4)|plain-crypto-js" package-lock.json yarn.lock 2>/dev/null
If anything comes back, treat that machine as compromised. Downgrade to axios@1.14.0, delete node_modules/plain-crypto-js/, rotate every fucking secret, and check your network logs for connections to sfrclak[.]com or 142.11.206.73 on port 8000. If this happened on a CI runner, rotate any secrets that were injected during the affected build.
What happened
The attacker gained access to the lead maintainer's PC through a targeted social engineering campaign and RAT malware. This gave them access to the npm account credentials, which they used to publish the malicious versions.
In my opinion, open source is being attacked through humans first. Recently, and especially with AI helping, they are attacking more human than the code itself. That's what I see.
The timeline
Jason Saayman, the lead maintainer, said he doesn't have the exact timeline for when the initial compromise occurred, but here's the sequence for the package itself:
- About two weeks before March 31: social engineering campaign initiated against the lead maintainer
- March 30, 05:57 UTC:
plain-crypto-js@4.2.0published to npm - March 31, 00:21 UTC:
axios@1.14.1published with the infectedplain-crypto-js@4.2.1 - March 31, around 01:00 UTC:
axios@0.30.4published with the same payload - March 31, around 01:00 UTC: first external detections. Community members file issues reporting the compromise. The attacker deletes those issues using the compromised account.
- March 31, 01:38 UTC: Axios collaborator DigitalBrainJS opened a PR to deprecate the compromised versions, flagged the deleted issues to the community, and contacted npm directly
- March 31, 03:15 UTC: malicious versions removed from npm
- March 31, 03:29 UTC:
plain-crypto-jsremoved from npm
The whole thing happened from about 00:21 UTC to about 03:15 UTC. About 2 hours and 30 minutes. That is fast.
How they got the lead maintainer
This is the part that matters most. Jason Saayman confirmed how the attack worked in the post-mortem thread. The attack vector mimics what Google has documented in their threat intelligence report on UNC1069 targeting cryptocurrency and AI through social engineering. But they tailored it specifically to him.
They reached out masquerading as the founder of a company. They had cloned the company founder's likeness as well as the company itself. Then they invited him to a real Slack workspace. The workspace was branded to the company's CI and named in a plausible manner. The Slack was thought out very well. They had channels where they were sharing LinkedIn posts. The LinkedIn posts, he presumes, just went to the real company's account, but it was super convincing. They even had what he presumes were fake profiles of the team of the company, but also a number of other open source maintainers.
They scheduled a meeting with him on Microsoft Teams. The meeting had what seemed to be a group of people involved. Then the meeting said something on his system was out of date. The UI in the Microsoft Teams web version popped up saying it was missing something and he had to install it. He installed the missing item because he presumed it was something to do with Teams. That was the RAT.
In his own words: "everything was extremely well co-ordinated looked legit and was done in a professional manner."
What's changing
Resolution was a complete wipe of all lead maintainer devices, resetting all credentials across all accounts, irrespective of platform, both personal and all other capacities.
Going forward: immutable release setup, proper adoption of OIDC flow for publishing, improvement of overall security posture, and updating all GitHub actions to adopt best practices.
The key lesson from the post-mortem: publishing directly from a personal account was a risk that could have been avoided. The OIDC flow and immutable release setup should have been in place before this happened. There was no automated way to detect an unauthorized publish. Detection depended entirely on the community noticing.
Open source maintainers are the target now
This is similar to previous attacks targeting open source maintainers. They exploit the human, the crucial part of it. We haven't really heard about code-level exploits as much, but the social engineering is really, really dangerous. Open source maintainers with high-impact packages are active targets for sophisticated social engineering. Hyper vigilance is needed both on the registry and in a personal capacity.
Shoutout to DigitalBrainJS for acting fast when the compromised account had higher permissions than his own, and for getting npm to take action. The community response was fast. The attack was faster. That's the problem.
I'm Hung, a fullstack developer building tools to help bring purpose to your life. You can follow my journey at dhung.dev.
Top comments (0)