Ankitkumar Singh

Posted on Mar 31

Security Is a Myth | The Axios Supply Chain Attack

#security #webdev #programming #ai

CRITICAL INCIDENT SUMMARY

LIVE ALERT: axios@1.14.1 and axios@0.30.4 removed from npm. RAT dropper confirmed. Exposure window: ~2 hours 53 minutes. If you installed Axios between 00:21 and 03:15 UTC on March 31, assume compromise. C2: sfrclak.com.

What is a Supply Chain Attack?

A supply chain attack is a cyberattack where an adversary compromises a trusted third-party component—such as a software dependency, build system, or update mechanism—to indirectly gain access to downstream systems.

Instead of attacking the primary target directly, the attacker targets a weaker or less monitored link in the supply chain and leverages established trust relationships to propagate malicious code.

Why It Works

Modern software systems rely heavily on external dependencies, automated CI/CD pipelines, and signed update mechanisms. These introduce implicit trust boundaries that are rarely verified at runtime.

Once a trusted component is compromised, its consumers inherit that compromise without additional scrutiny.

Attack Vectors

1. Compromised Dependencies

Attackers inject malicious code into open-source packages (e.g., npm, PyPI). This often includes:

Maintainer account takeover
Malicious version publishing
Dependency confusion (publishing a higher-version package to public registries)

Impact:
Every downstream project that installs or updates the dependency executes attacker-controlled code.

2. Transitive Dependency Exploitation (Critical)

Most projects don’t directly depend on vulnerable packages—they inherit them indirectly.

Example:

Your app → Library A → Library B (malicious)

Developers often don’t audit deep dependency trees
This makes it a high-leverage attack vector

3. Build Pipeline Compromise

Attackers breach CI/CD systems or build servers
They inject malicious code during the build process
The resulting artifact is legitimately signed and distributed This makes detection significantly harder.

4. Software Update Channel Hijacking

Attackers compromise update infrastructure and distribute malicious updates.

Why this is effective:

Updates are trusted implicitly
Users rarely validate update integrity beyond signatures

What Actually Happened

Metric	Detail
100M+	Axios weekly downloads
2h 53m	Total exposure window
18 hrs	Pre-staged in advance
3	Target platforms (macOS, Windows, Linux)

What and How The Attack Happened

On March 30th, 2026, a hacker compromised the npm account of axios's primary maintainer. Axios is the industry-standard JavaScript HTTP client, boasting over 100 million weekly downloads. The attacker changed the maintainer's registered email to a ProtonMail address and published two poisoned versions: axios@1.14.1 and axios@0.30.4.

Security firm StepSecurity flagged the versions within three hours. However, the damage potential remains high; anyone who downloaded the code during that window is advised to treat their system as fully compromised.

"There are zero lines of malicious code inside axios itself—and that's exactly what makes this attack so dangerous."
— StepSecurity Technical Analysis, March 31, 2026

The hacker didn't modify axios's source code. Instead, they added a single "phantom" dependency to package.json: plain-crypto-js@4.2.1. When a developer ran npm install, this package triggered a postinstall hook to deploy a cross-platform Remote Access Trojan (RAT).

How the Attack Was Constructed

1. Account Hijack

The attacker targeted jasonsaayman. While legitimate axios releases use OIDC Trusted Publishers (linked to GitHub Actions), axios@1.14.1 was pushed manually using a stolen classic npm token. There was no corresponding commit or tag in the GitHub repository.

Legitimate vs. Malicious Metadata:

// axios@1.14.0 - LEGITIMATE
"_npmUser": {
  "name": "GitHub Actions",
  "email": "npm-oidc-no-reply@github.com",
  "trustedPublisher": { "id": "github" }
}

// axios@1.14.1 - MALICIOUS
"_npmUser": {
  "name": "jasonsaayman",
  "email": "ifstap@proton.me"
  // Missing trustedPublisher and gitHead
}

2. The Decoy (18 Hours Early)

The attacker first published plain-crypto-js@4.2.0, a clean copy of the legitimate crypto-js library, to build account history and bypass "zero-history" scanners. 18 hours later, version 4.2.1 was published—this time armed with setup.js, a 4.2 KB obfuscated dropper.

3. The Injection

Exactly one file changed in the Axios package: package.json.

// axios@1.14.1 -- malicious
"dependencies": {
  "follow-redirects": "^2.1.0",
  "form-data": "^4.0.1",
  "proxy-from-env": "^2.1.0",
  "plain-crypto-js": "^4.2.1"  // Never actually imported in the code
}

Attack Timeline (UTC)

Mar 30 - 05:57: Decoy published. plain-crypto-js@4.2.0 (clean).
Mar 30 - 23:59: Weapon armed. plain-crypto-js@4.2.1 (malicious) published.
Mar 31 - 00:21: Payload deployed. axios@1.14.1 hits npm.
Mar 31 - 01:00: Legacy branch poisoned. axios@0.30.4 published.
Mar 31 - 03:15: Takedown. npm removes malicious versions.
Mar 31 - 04:26: Package killed. npm replaces plain-crypto-js with a security stub.

Malware Behavior by Platform

The dropper contacts sfrclak.com:8000 within two seconds of installation.

OS	Payload Action	Indicator (IOC)
macOS	AppleScript downloads RAT binary; disguised as system daemon.	`/Library/Caches/com.apple.act.mond`
Windows	Persists by copying PowerShell to `%PROGRAMDATA%\wt.exe`.	`%PROGRAMDATA%\wt.exe`
Linux	Uses `curl` and `nohup` to run a Python RAT detached from PID.	`/tmp/ld.py`

Post-Infection Stealth: The dropper deletes setup.js and the malicious package.json entries after execution. npm audit will return clean even while the RAT is active.

Indicators of Compromise (IOCs)

Type	Value	Status
npm package	`axios@1.14.1`	MALICIOUS
npm package	`axios@0.30.4`	MALICIOUS
C2 Domain	`sfrclak.com`	BLOCK NOW
C2 IP	`142.11.206.73`	BLOCK NOW
Attacker	`nrwise@proton.me`	THREAT ACTOR

Immediate Action Plan

[!CAUTION]
If you installed Axios during the exposure window, rebuild your environment from scratch. Do not attempt to "clean" the infection.

Check Version: npm list axios | grep -E "1\.14\.1|0\.30\.4"
Check for Dropper: ls node_modules/plain-crypto-js. If this folder exists, you are compromised.
Downgrade: Use axios@1.14.0 or axios@0.30.3.
Block Network: Sinkhole sfrclak.com at the firewall level.
Rotate Secrets: AWS keys, SSH keys, npm tokens, and .env variables must be cycled.
Prevention: Update CI/CD to use npm ci --ignore-scripts.

The Road Ahead: Python & Beyond

The Axios attack is a blueprint. Python's setup.py and pyproject.toml hooks offer an identical attack surface. The risk in the Python ecosystem is arguably higher; ML and Data Science pipelines often run with direct access to sensitive model weights and production data, often with less outbound monitoring than frontend environments.

The Actual Takeaway

Security industry focus on source code (SAST/DAST) failed here. This attack lived entirely in the metadata and registry-level hooks. Treat package installation as a privileged operation. Pin your dependencies, verify lockfiles, and monitor outbound connections from build environments.

DEV Community