Back to Blog
Security
3 mins read

100 Million Downloads at Risk - Inside the March 2026 Axios npm Hack

JT
James Tan
Author
100 Million Downloads at Risk - Inside the March 2026 Axios npm Hack

The March 2026 Axios Supply Chain Attack: A Complete Technical Breakdown and CISO Guide

On March 31, 2026, the global JavaScript ecosystem experienced one of the most severe software supply chain attacks to date. Attackers compromised the official npm account of the lead maintainer for Axios, a ubiquitous HTTP client library boasting over 100 million weekly downloads. By publishing malicious versions of the package, the threat actors deployed a sophisticated Remote Access Trojan across macOS, Windows, and Linux environments.

This article provides a comprehensive technical analysis of the incident, the mechanics of the compromise, and actionable remediation steps for security teams.

Axios Supply Chain Attack Diagram

The Anatomy of the Attack

The incident unfolded rapidly over a three hour window. The attackers hijacked the npm account of the lead Axios maintainer and changed the associated email address to an attacker controlled ProtonMail account. With administrative control secured, they bypassed standard GitHub Actions OIDC Trusted Publisher safeguards. Instead of committing code to the official repository, they used a stolen long lived npm access token to publish directly to the npm registry.

Two poisoned versions were released: version 1.14.1 targeting the latest branch, and version 0.30.4 targeting legacy systems.

The Phantom Dependency

To execute their payload without altering the core Axios codebase, the attackers injected a hidden dependency named plain-crypto-js at version 4.2.1. This package was completely unrelated to the legitimate crypto-js library. The threat actors pre staged this attack 18 hours prior by publishing a clean decoy version of plain-crypto-js to bypass automated alerts for brand new packages.

When a developer or automated CI/CD pipeline ran an installation command during the compromise window, npm automatically pulled the malicious Axios version. This triggered the plain-crypto-js dependency, which contained a postinstall script designed to act as an obfuscated dropper.

Cross Platform Remote Access Trojan

The postinstall hook silently executed a script named setup.js. This dropper reached out to a command and control server at sfrclak[.]com over port 8000. It then downloaded and executed a second stage Remote Access Trojan tailored to the host operating system.

The malware delivered platform specific payloads: a PowerShell script for Windows, a C++ executable for macOS, and a Python script for Linux. All three implementations shared an identical communication protocol and command structure. The malware immediately began harvesting credentials, extracting environment variables, and scanning the file system for sensitive tokens such as cloud access keys, SSH keys, and database passwords.

Advanced Evasion Techniques

Forensic analysis revealed significant anti analysis capabilities. Once the malware executed, it automatically deleted its installation artifacts. It then replaced its own package configuration file with a clean decoy. This surgical self cleanup meant that developers inspecting their node_modules directory after the fact would find no obvious indicators of compromise.

Attribution to UNC1069

Google Threat Intelligence Group and other leading security firms have attributed this attack to UNC1069, a threat actor with strong ties to North Korea. This group has a documented history of leveraging supply chain attacks to facilitate cryptocurrency theft and extensive intelligence gathering. Security analysts noted that the cross platform malware used in this attack is a direct descendant of the WAVESHAPER backdoor and the BlueNoroff RustBucket campaigns from previous years.

Impact and Blast Radius

The malicious packages were live on the npm registry from approximately 00:21 UTC to 03:25 UTC on March 31. Although the npm security team responded swiftly to unpublish the compromised versions, the massive popularity of Axios means the blast radius is substantial. Any automated build pipeline or developer workstation that resolved dependencies during this three hour window is highly likely to be compromised.

Remediation and Response Strategy

Security teams and developers must take immediate action to determine their exposure and secure their environments.

1. Audit Dependency Trees
Check all project lockfiles, including package-lock.json and yarn.lock, for any references to axios version 1.14.1, axios version 0.30.4, or plain-crypto-js version 4.2.1. If any of these are present, you must assume the host environment is fully compromised.

2. Revert and Pin Versions
Downgrade Axios to known safe versions immediately. For modern projects, pin the version to 1.14.0. For legacy systems, use version 0.30.3. Clear local npm caches and shared build caches to prevent reinfection during subsequent deployments.

3. Rotate All Secrets
Because the malware specifically targets environment variables and access tokens, organizations must aggressively rotate all credentials that were present on affected machines. This includes AWS, Azure, and GCP keys, GitHub personal access tokens, VPN certificates, and database passwords.

4. Harden Build Pipelines
To mitigate the risk of similar attacks in the future, disable the automatic execution of lifecycle scripts. Utilize the ignore-scripts flag in your CI/CD pipelines to prevent postinstall hooks from running unauthorized code. Additionally, enforce strict provenance checks for all internal and third party packages.

By understanding the mechanics of this breach, organizations can better defend their infrastructure against the growing threat of software supply chain compromises.