The widely used JavaScript HTTP client Axios has been at the center of a significant npm supply chain attack, in which attackers slipped a malicious dependency into selected releases to deploy a cross‑platform remote access trojan (RAT). Given Axios’s more than 83 million weekly downloads, even a short‑lived compromise creates serious systemic risk.
Malicious Axios Versions and the Plain-Crypto-JS Dependency
Security researchers at StepSecurity identified that Axios 1.14.1 and Axios 0.30.4 were published to npm with an additional, fraudulent dependency: [email protected]. The Axios source code itself was not altered; the attack hinged entirely on this external package.
The plain-crypto-js dependency was never referenced or imported anywhere in Axios. Its sole purpose was to run a postinstall script that acted as a Node.js-based dropper, downloading and installing a compiled RAT for macOS, Windows, or Linux immediately after the package was installed.
Once the incident was discovered, the malicious Axios versions and plain-crypto-js were removed from npm. Users are strongly advised to downgrade immediately to Axios 1.14.0 or Axios 0.30.3 and to rotate all secrets and credentials (tokens, keys, passwords) that might have been exposed on systems where the compromised builds were present.
Compromised Maintainer Account and CI/CD Bypass
According to StepSecurity, attackers obtained access to the npm account of the primary Axios maintainer “jasonsaayman” and changed the account’s registered email to a Proton Mail address they controlled (“[email protected]”). The malicious plain-crypto-js package itself was published by the npm user “nrwise” using the email “[email protected]”.
Researchers assess that the adversary likely stole a long-lived npm classic access token. This enabled them to publish modified Axios versions directly to npm, bypassing the project’s GitHub Actions CI/CD pipeline and its usual checks and automated builds. The incident underlines how token hygiene and strict lifecycle management are now critical components of supply chain security.
Evidence of a Carefully Planned Operation
Researcher Ashish Kurmi notes that the operation appeared deliberately pre‑staged. The malicious dependency was prepared roughly 18 hours before publication, three separate payloads for different operating systems were compiled in advance, and both Axios release branches were modified in under 40 minutes. As Kurmi observed, “every trace was designed to self‑destruct”, highlighting a level of planning more typical of targeted campaigns than opportunistic npm abuse.
How the Postinstall Script Delivered the RAT
Inside plain-crypto-js, the core malicious component is an obfuscated Node.js dropper named “setup.js”. Triggered automatically via the postinstall hook, it fingerprints the host operating system and follows one of three attack paths.
Each platform issues a unique HTTP POST request to a single command-and-control (C2) endpoint, packages.npm.org, but with different paths: /product0 for macOS, /product1 for Windows, and /product2 for Linux. This enables the C2 to serve the correct binary per OS while keeping network infrastructure consolidated and harder to distinguish from legitimate npm traffic.
On macOS, the dropper retrieves a C++-based RAT that performs detailed system fingerprinting and then beacons back to the C2 server every 60 seconds. The RAT can execute arbitrary shell commands, launch additional payloads, enumerate the file system, and terminate itself on demand, granting attackers broad and persistent remote control.
On-Disk Evasion and Removal of Forensic Artifacts
After launching the primary payload, the Node.js script executes several steps to erase traces of the compromise from the installed package’s file structure:
— deletes the postinstall script from the installed package;
— removes the original package.json that contained the malicious hook;
— renames package.md to package.json.
The package.md file is a benign manifest without any hooks. By swapping the manifests, attackers ensured that subsequent inspections would not reveal a postinstall script or obvious indicators of tampering, complicating static analysis and incident response.
Additional Affected npm Packages and Indicators of Compromise
Supply chain security firm Socket identified two additional npm packages distributing the same malicious payload:
— @shadanai/openclaw, where plain-crypto-js is embedded deep in the tree as a vendored dependency;
— @qqbrowser/[email protected], which ships a trojanized [email protected] inside its node_modules directory.
Legitimate Axios releases have only three dependencies: follow-redirects, form-data, and proxy-from-env. The appearance of plain-crypto-js in dependency lists or lock files is a clear indicator of compromise (IoC) and should be treated as evidence of supply chain tampering.
Recommended Actions and Long-Term Defensive Measures
Organizations and developers should:
— verify that Axios 1.14.1 or Axios 0.30.4 and the related packages above have not been used;
— audit package-lock.json, yarn.lock, and similar lock files for plain-crypto-js or unexpected Axios versions;
— if any malicious versions are found, assume system compromise, perform full malware scans, rotate all secrets, and reinstall dependencies from a trusted, known-good state.
Strategic Lessons for Open Source Supply Chain Security
This incident reinforces several strategic lessons: maintainer account security (strong MFA, minimal and short‑lived tokens, regular rotation) is essential; postinstall scripts and transitive dependencies must be treated as high‑risk; and organizations need automated tooling to detect new or unexpected dependencies in widely used open source packages. Combining software composition analysis, behavioral monitoring, and strict CI/CD policies can significantly reduce exposure to similar npm supply chain attacks.
The Axios compromise demonstrates how quickly a trusted open source component can be weaponized against the broader ecosystem. Given Axios’s massive install base, it is imperative that teams treat dependency management as a primary attack surface, embed supply chain security controls into their pipelines, and continuously monitor for anomalous changes in third‑party packages.
