The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a formal security alert warning organizations about a sophisticated software supply chain attack that compromised the Axios npm package.
One of the most widely used JavaScript HTTP client libraries in the world, deployed as a cross-platform Remote Access Trojan (RAT) linked to North Korean state-sponsored hackers.
Critical Axios npm Compromise
On March 31, 2026, a coordinated supply chain attack struck the official Axios npm registry, exploiting a compromised developer account to push poisoned package versions to millions of developers worldwide.
The attacker gained unauthorized access to the npm credentials of jasonsaayman, the lead maintainer of the Axios project, and published two backdoored releases axios@1.14.1 (tagged “latest”) and axios@0.30.4 (tagged “legacy”) within a 39-minute window.
Both malicious versions injected a previously nonexistent phantom dependency, plain-crypto-js@4.2.1, into the Axios package manifest. Critically, this package was never imported by Axios’s runtime code; its sole purpose was to execute a postinstall script automatically upon running npm install or npm update, requiring zero user interaction.
Automated npm security scanners flagged the malicious dependency within minutes, and npm administrators removed the compromised packages shortly thereafter. Still, the attack window lasted approximately three hours, more than enough time to cause widespread damage.
North Korea’s Sapphire Sleet
Microsoft Threat Intelligence formally attributed this attack to Sapphire Sleet, a North Korean state-sponsored threat actor with a known history of targeting developer supply chains, cryptocurrency platforms, and financial institutions. Google’s threat teams independently tracked the same actor under the designation UNC1069, corroborating the attribution.
The attack reflects a high level of operational sophistication. Rather than modifying Axios’s source code, which would have triggered immediate code-review alerts, the attackers made a surgical, manifest-only change to insert the malicious plain-crypto-js dependency.
The C2 infrastructure was hosted at the domain Sfrclak[.]com, and malware payloads were platform-specific, targeting Windows, macOS, and Linux systems simultaneously. To evade forensic analysis, the malware self-destructed after execution, replacing its own artifacts with clean decoys.
Payload Analysis
Once the plain-crypto-js The post-install script executed and dropped a second-stage Remote Access Trojan (RAT) onto the infected developer machine or CI/CD environment. The malware’s capabilities were far-reaching:
- Credential theft: Cloud access keys, database passwords, API tokens, SSH keys, VCS tokens, and CI/CD pipeline secrets were harvested
- Persistent access: The RAT established long-term backdoor access on the compromised machine
- Cross-platform execution: Separate platform-specific binaries were deployed for Windows, macOS, and Linux
- Anti-forensics: The malware self-destructed post-execution to eliminate evidence trails
- Reconnaissance: System profiling, environment enumeration, and data exfiltration capabilities
According to Palo Alto Networks Unit 42, the impact was widespread, particularly affecting organizations that pull Axios as a transitive dependency, meaning companies that never directly installed Axios could still be compromised through another package in their dependency tree.
Recommended Remediation
A formal alert urges all organizations to take immediate action if they ran npm install or npm update during the attack window. The agency’s key remediation guidance includes:
- Downgrade immediately to
axios@1.14.0oraxios@0.30.3and delete thenode_modules/plain-crypto-js/directory - Rotate and revoke all credentials potentially exposed, including VCS tokens, CI/CD secrets, cloud keys, npm tokens, and SSH keys; for ephemeral CI jobs, rotate every secret injected during the compromised run
- Block and monitor all outbound connections to
Sfrclak[.]comdomains at the network and DNS level - Search artifact repositories and dependency caches for
plain-crypto-js@4.2.1and remove any cached versions - Conduct EDR hunts and IOC sweeps to confirm no indicators of compromise remain and that no further C2 egress is occurring
Beyond immediate remediation, CISA recommends several proactive hardening measures to prevent similar supply chain attacks.
- Set
ignore-scripts=truein your.npmrcconfiguration to block post-install scripts from executing during package installation - Set
min-release-age=7in.npmrcto prevent the installation of packages published within the past seven days, reducing zero-day poisoning risks - Pin dependency versions to known-safe releases and use
npm ci(instead ofnpm install) in CI/CD pipelines to enforce lockfile integrity - Mandate phishing-resistant MFA on all developer accounts, particularly for npm, GitHub, and other critical publishing platforms
- Establish behavioral baselines for tools using Axios and alert on anomalies such as unexpected child process spawning, container builds, or outbound network connections during install phases
Axios has over 100 million weekly npm downloads, making this one of the most impactful supply-chain compromises targeting the JavaScript ecosystem.
The incident underscores how a single compromised maintainer account can cascade into millions of potentially infected development environments globally.
FAQ
Q1: Which versions of Axios are affected by this supply chain compromise?
Only axios@1.14.1 and axios@0.30.4 are confirmed malicious; all other versions remain safe to use.
Q2: Who is responsible for the Axios npm supply chain attack?
Microsoft and Google attributed the attack to Sapphire Sleet (UNC1069), a North Korean state-sponsored threat actor.
Q3: How can I tell if the malicious Axios package compromised my system?
Check your node_modules for plain-crypto-js, review CI/CD logs from March 31, 2026, and run EDR hunts for connections to Sfrclak[.]com.
Q4: What is the safest immediate fix for the Axios npm vulnerability?
Downgrade to axios@1.14.0 or axios@0.30.3, delete plain-crypto-js from node_modules, and rotate all credentials on affected systems immediately.
Site: http://thecybrdef.com
About the Author
