Axios npm Supply Chain Attack: Summary & Indicators of Compromise

On March 31, 2026, an attacker compromised the npm account of axios lead maintainer Jason Saayman. The registered email was changed to ifstap@proton.me and a stolen classic npm access token was used to publish two malicious versions: axios@1.14.1 (tagged latest) and axios@0.30.4 (tagged legacy).

Both versions introduced a hidden dependency on plain-crypto-js@4.2.1, a package published from a separate attacker account (nrwise@proton.me). This package contained a postinstall hook that deployed a cross-platform Remote Access Trojan capable of arbitrary command execution on Windows, Linux, and macOS.

The classic npm token bypassed the GitHub Actions OIDC protections that were in place for legitimate publishes. The exposure window lasted approximately three hours (00:21 to 03:15 UTC) before npm intervened and unpublished both versions.

The last legitimate version, axios@1.14.0, was published on March 27 via GitHub Actions OIDC and remains safe.

Need help checking if your infrastructure is affected? Our team can audit your environments, scan for IOCs, and harden your CI/CD pipeline. See our Managed IT Services or IT Outsourcing for ongoing protection.

Malicious packages

C2 infrastructure

Attacker email accounts

Stage-2 payload artifacts

Windows:

• %PROGRAMDATA%\wt.exe (disguised PowerShell copy)
• %TEMP%\6202033.vbs (VBScript loader)
• %TEMP%\6202033.ps1 (PowerShell payload)

Linux:

• /tmp/ld.py (Python RAT script)

macOS:

• /Library/Caches/com.apple.act.mond (657 KB Mach-O binary, x86_64)

1. Check your lockfiles

Linux/macOS (Bash):

bashgrep -E "axios@1\.14\.1|axios@0\.30\.4|plain-crypto-js" package-lock.json yarn.lock pnpm-lock.yaml

Windows (PowerShell):

powershellSelect-String -Pattern "axios@1\.14\.1|axios@0\.30\.4|plain-crypto-js" -Path package-lock.json,yarn.lock,pnpm-lock.yaml

2. Search for the malicious dependency

Linux/macOS (Bash):

bashfind node_modules -type d -name "plain-crypto-js" 2>/dev/null
npm ls axios

Windows (PowerShell):

powershellGet-ChildItem -Path node_modules -Recurse -Directory -Filter "plain-crypto-js" -ErrorAction SilentlyContinue
npm ls axios

3. Scan multiple projects at once

Linux/macOS (Bash):

bashfind /path/to/projects -maxdepth 5 \( -name "package-lock.json" -o -name "yarn.lock" -o -name "pnpm-lock.yaml" \) -exec grep -l "axios.*1\.14\.1\|axios.*0\.30\.4\|plain-crypto-js" {} \;

Windows (PowerShell):

powershellGet-ChildItem -Path C:\path\to\projects -Recurse -Depth 5 -Include package-lock.json,yarn.lock,pnpm-lock.yaml | Select-String -Pattern "axios.*1\.14\.1|axios.*0\.30\.4|plain-crypto-js" -List | Select-Object Path

4. Check for filesystem artifacts

Windows (PowerShell):

powershellTest-Path "$env:ProgramData\wt.exe"
Test-Path "$env:TEMP\6202033.vbs"
Test-Path "$env:TEMP\6202033.ps1"

Linux:

bashls -la /tmp/ld.py 2>/dev/null

macOS:

bashls -la /Library/Caches/com.apple.act.mond 2>/dev/null

5. Check network connections

Windows (PowerShell):

powershellGet-DnsClientCache | Where-Object Entry -match "sfrclak"
Get-NetTCPConnection | Where-Object { (Resolve-DnsName $_.RemoteAddress -ErrorAction SilentlyContinue).NameHost -match "sfrclak" }

Linux:

bashss -tnp | grep -i sfrclak
grep "sfrclak" /var/log/syslog /var/log/dns*

macOS:

bashlsof -i -nP | grep -i sfrclak
log show --predicate 'process == "mDNSResponder"' --last 24h | grep sfrclak

Immediate steps

1. Verify exposure: check if any system ran npm install between 00:21 and 03:15 UTC on March 31, 2026
2. Search for IOCs: check filesystem artifacts and DNS/firewall logs for connections to sfrclak.com or 142.11.206.73
3. Check private registries: inspect Verdaccio, Artifactory, or GitHub Packages mirrors for cached malicious versions

If IOCs are found

Treat the affected system as fully compromised:

• Rotate all credentials, API keys, tokens, and SSH keys from affected machines
• Rebuild Docker images and CI/CD environments from scratch
• Review access logs for lateral movement

Cleanup

• Pin axios to v1.14.0 and verify checksums
• Run npm uninstall plain-crypto-js
• Run npm cache clean --force

Hardening

• Use lockfiles consistently with npm ci instead of npm install
• Set npm config set min-release-age 3 to reject packages published less than 3 days ago
• Replace classic npm tokens with granular tokens scoped to specific packages
• Apply IP restrictions to token access
• Enable npm provenance for published packages
• Implement dependency monitoring (Socket, Snyk, or Dependabot)

This page is a summary with actionable IOCs and detection steps. For the complete technical breakdown including payload deobfuscation, C2 protocol analysis, and MITRE ATT&CK mapping, read the full article on our blog:

Axios npm Supply Chain Attack: Full Analysis on the Salt Data Blog