Axios npm compromise: determine your exposure and remediate in 20 minutes
Two axios versions on npm delivered a cross-platform RAT on March 31. Here's how to determine if your environment is affected and what to do about it.
What happened (and why the scale matters)
Two versions of axios hit npm on March 31 carrying a cross-platform RAT. The attacker compromised lead maintainer jasonsaayman's account via social engineering, then published axios@1.14.1 at 00:21 UTC and axios@0.30.4 about an hour later. Both versions pulled in plain-crypto-js@4.2.1 via a postinstall hook. 0.30.4 was not independently analyzed by Datadog Security Labs; its behavior is consistent with the same attack as 1.14.1. npm removed both within three hours; latest reverted to 1.14.0. Axios has 100M+ weekly downloads and 174,000 dependent packages. Any environment that ran npm install or npm ci between 00:21 and 03:25 UTC on March 31, including CI/CD pipelines, may have run attacker-controlled code.
Do you have it?
Lockfile and node_modules scan
Start here:
grep -E "axios@(1\.14\.1|0\.30\.4)|plain-crypto-js" \
package-lock.json yarn.lock pnpm-lock.yaml *.lock 2>/dev/null
Then check for the malicious package directory:
ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"
The directory check is the only reliable indicator. After the dropper ran, it deleted itself, then swapped its own package.json for a clean stub reporting version 4.2.0 with no scripts key. Post-infection, npm ls reports plain-crypto-js@4.2.0 and npm audit returns nothing. If the directory exists, treat that as confirmed.
Transitive and indirect exposure
You don't have to list axios as a direct dependency to be affected. Any package that resolved to 1.14.1 or 0.30.4 via semver ranges like ^1.13.0 or ^1.0.0 is in scope. Three confirmed downstream packages: @lightdash/cli (versions below 0.2695.1), @usebruno/cli (below 3.2.0), and slack-github-action, which is used in 23,000+ public repositories and declares axios@"^1.14.0". If you use slack-github-action, I'd check that one first. Wide blast radius. The list isn't exhaustive; Socket identified additional packages carrying the same payload.
CI/CD pipeline window
Check your build logs for any npm install or npm ci runs between March 31, 00:21 UTC and 03:25 UTC. GitHub Actions:
gh api "repos/ORG/REPO/actions/runs?created=2026-03-31T00:21:00Z..2026-03-31T03:25:00Z" --paginate
Ephemeral runners aren't off the hook. If secrets were injected into a pipeline that ran during this window, they were in a compromised environment.
What exposure means
GHSA-fw8c-xr5c-95f9 is blunt: "Any computer that has this package installed or running should be considered fully compromised." On first execution, the dropper sent directory listings from home, Desktop, Documents, and .config to the C2. On macOS, a binary persists at /Library/Caches/com.apple.act.mond. On Windows, a registry autorun key (HKCU\...\Run\MicrosoftUpdate) and %PROGRAMDATA%\system.bat are installed; a code bug in the Windows payload means the C2 beacon never fires, but the persistence is in place. On Linux, no persistence, but the initial exfiltration still runs in CI containers. sfrclak.com being down doesn't change any of this. Persistence doesn't clean itself up.
What to do
If you're not exposed (clean lockfile, no plain-crypto-js directory):
Pin to a safe version:
npm install axios@1.14.0 # 1.x
npm install axios@0.30.3 # 0.x
Add overrides/resolutions to package.json to block transitive re-resolution:
{ "overrides": { "axios": "1.14.0" }, "resolutions": { "axios": "1.14.0" } }
Add npm ci --ignore-scripts to your CI/CD pipeline steps.
If you're exposed (directory found or lockfile match):
- If platform artifacts aren't present and the runner was ephemeral: rotate all injected CI secrets from a clean machine. Treat any pipeline output from that window as untrusted.
- If platform artifacts are present: isolate the machine from the network now. Do not use it for credential access or secret rotation.
- From a clean machine, rotate in this order: npm tokens, SSH keys, cloud credentials (
~/.azure/, AWS, GCP), GitHub PATs, Docker registry credentials, kubeconfig tokens,.envsecrets. - Reformat and rebuild affected developer machines from a known-good image.
Sources
- Post Mortem: axios npm supply chain compromise
- axios@1.14.1 and axios@0.30.4 are compromised — new malicious version was released
- GHSA-fw8c-xr5c-95f9: Malware in axios
- GHSA-3hfp-gqgh-xc5g: axios supply chain attack – @lightdash/cli distributes malicious versions
- GHSA-658g-p7jg-wx5g / CVE-2026-34841: Axios Supply Chain Incident Affecting @usebruno/cli
- axios Compromised on npm — Malicious Versions Drop Remote Access Trojan (StepSecurity)
- Compromised axios npm package delivers cross-platform RAT (Datadog Security Labs)
- Supply Chain Attack on Axios Pulls Malicious Dependency from npm (Socket)
- axios on npm
Revision History
2026-04-07 — published
Initial Publish
Comments ()