Threat Intelligence

Axios npm Supply Chain Attack: North Korean Hackers Compromised 100 Million Weekly Downloads

April 3, 2026 · 8 min read
Active incident: Two malicious versions of axios (1.14.1 and 0.30.4) were live on npm from March 31, 00:21 UTC for approximately three hours. Any machine that ran npm install during that window against an affected version range automatically received a cross-platform remote access trojan. If you run Node.js applications, check your lockfiles, scan for the indicators listed below, and rotate any secrets present in your CI environment.

What happened

At 00:21 UTC on March 31, 2026, two new axios versions appeared on npm: 1.14.1 and 0.30.4. Axios is the most widely used HTTP client in JavaScript, with over 100 million weekly downloads. If your applications depend on axios (and most Node.js applications do), this is not a theoretical concern. For development teams in the Maldives running Node.js stacks, this incident warrants an immediate check. Within three hours, npm pulled both versions. By then, any automated pipeline or developer machine that ran a fresh install had been silently compromised.

The attack started a day earlier. At 05:57 UTC on March 30, an unknown actor published plain-crypto-js@4.2.0, a clean, inert package that seeded the npm registry with a legitimate-looking identity. Eighteen hours later, they published plain-crypto-js@4.2.1 with a malicious postinstall hook buried inside. Then they used a hijacked maintainer account, jasonsaayman, one of axios's primary maintainers, whose email had been quietly changed to ifstap@proton.me, to push two new axios releases listing plain-crypto-js as a runtime dependency.

That dependency is never used anywhere in axios's code. It exists to trigger the install-time script.

Time (UTC) Event
2026-03-30 05:57 plain-crypto-js@4.2.0 published — clean decoy
2026-03-30 23:59 plain-crypto-js@4.2.1 published with malicious postinstall hook
2026-03-31 00:21 axios@1.14.1 released with poisoned dependency
2026-03-31 01:00 axios@0.30.4 released
2026-03-31 ~03:15 npm unpublishes both axios versions
2026-03-31 04:26 npm replaces plain-crypto-js with a security stub

Total live exposure: roughly three hours per version.

How the attack worked

When a developer or CI runner ran npm install against an affected axios version, npm also pulled plain-crypto-js@4.2.1. The package's postinstall hook immediately executed setup.js, an obfuscated Node.js dropper that decoded strings using XOR cipher and base64, detected the operating system, and delivered a platform-specific remote access trojan:

  • macOS: downloaded RAT to /Library/Caches/com.apple.act.mond, launched via osascript
  • Windows: copied PowerShell to %PROGRAMDATA%\wt.exe for persistence, executed via a hidden VBScript wrapper
  • Linux: downloaded a Python script to /tmp/ld.py, launched with nohup to orphan the process to PID 1

All three variants immediately called home to sfrclak.com:8000 (IP: 142.11.206.73). To cover its tracks, setup.js deleted itself and overwrote plain-crypto-js's package.json with a clean copy reporting version 4.2.0, so incident responders scanning node_modules would see the inert decoy version, not the malicious one.

flowchart LR A["Hijacked maintainer
account"] --> B["axios@1.14.1 / 0.30.4
pushed to npm"] B --> C["plain-crypto-js@4.2.1
installed as dependency"] C --> D["postinstall hook
executes setup.js"] D --> E["OS detection
& RAT download"] E --> F["C2 beacon to
sfrclak.com:8000"] D --> G["Anti-forensics:
self-destruct & version spoof"]

The 18-hour staging gap between publishing the decoy and the malicious axios releases was not accidental. The attackers had the legitimate crypto-js source files ready to copy byte-for-byte to pass code analysis. The package.json modification was a single injected line. This had been planned well in advance, not improvised on the day.

CI pipeline compromise visualization — npm install triggering silent malware delivery

Who was behind it

Microsoft Threat Intelligence attributed the attack to Sapphire Sleet, a North Korean state actor with a history of financially motivated operations against software supply chains, cryptocurrency exchanges, and financial institutions. Google's Threat Intelligence Group independently linked the same infrastructure to UNC1069, a North Korea-nexus group known for WAVESHAPER.V2, a backdoor consistent with the RAT payloads here.

The reason North Korean groups keep targeting software supply chains is simple arithmetic. A phishing campaign reaches dozens of targets. Poisoning a package with 100 million weekly downloads reaches hundreds of thousands of development environments in a single push. Most of those environments hold cloud credentials, API tokens, and database access in environment variables during a build. That is the actual target.

Are you affected?

Check whether all three apply: you ran npm install between approximately 00:21 and 03:15 UTC on March 31, 2026; your project used "axios": "^1.14.0" or "axios": "^0.30.0" (or any version range resolving to those); and you were using npm install rather than npm ci against a committed lockfile. If all three are true, treat the environment as compromised.

Check for these indicators of compromise:

  • plain-crypto-js directory in node_modules — this package has no reason to appear in any axios project
  • Outbound connections to sfrclak.com or 142.11.206.73:8000 in firewall or DNS logs
  • Files at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), or /tmp/ld.py (Linux)
  • Orphaned nohup processes on Linux servers that appeared during an npm install
  • CI logs showing package.json being overwritten during install

Note: the dropper deletes itself after executing. Not finding setup.js in node_modules does not mean the install was clean.

What to do right now

If you ran npm install on March 31, treat the environment as compromised until you can prove otherwise. Rotate secrets first, before anything else: cloud keys, API tokens, deploy credentials, database passwords. All of it. Then:

  1. Verify your axios version. Run npm list axios. If you see 1.14.1 or 0.30.4, do not reuse that environment.

  2. Check for plain-crypto-js. Run ls node_modules | grep plain-crypto-js. Its presence confirms the malicious postinstall executed on that machine.

  3. Rotate all secrets from affected environments. Treat every credential that was accessible during the build as stolen.

  4. Switch to npm ci with a committed lockfile. Unlike npm install, npm ci installs exactly what is in the lockfile and fails on discrepancies. This stops unexpected dependencies from appearing in automated builds.

  5. Add --ignore-scripts to CI installs. npm ci --ignore-scripts prevents postinstall hooks from executing. This would have blocked the payload entirely. Most projects do not need install-time scripts from their dependencies.

  6. Review CI logs from March 31. Check for outbound network requests to sfrclak.com or 142.11.206.73 between 00:21 and 06:00 UTC.

What this means for organisations in the Maldives

Axios is not a niche tool. It is the default HTTP client in virtually every JavaScript and Node.js project built in the last decade. Resort booking engines, payment gateway integrations, eGovernment API portals, mobile banking backends: if it runs JavaScript, it almost certainly uses axios.

Most organisations in the Maldives have no visibility into what actually runs during a CI build. Without outbound network logging on build servers and runtime process monitoring, a self-destructing dropper leaves almost nothing to find. Absence of evidence is not evidence of absence.

The sectors with the most direct exposure:

Tourism and hospitality. Booking platforms, channel managers, and PMS integrations are heavily built on Node.js, often with CI pipelines that auto-update dependencies. A compromised CI runner holds cloud provider credentials, database connection strings, and payment API keys in memory during a build. If your deployment pipeline ran npm install unattended on March 31, audit what executed.

Financial services. The MMA IT Risk Management Guidelines require licensed financial institutions to manage third-party software risk. A supply chain attack of this type, where a trusted widely used package silently delivers malware, falls squarely within that obligation. Institutions that cannot show they monitored for this incident may face questions at the next IT risk review.

Government digital services. MCIT-backed eGovernment platforms and digital identity systems increasingly rely on JavaScript APIs. Government CI/CD pipelines often have less runtime monitoring than commercial deployments, which makes this category of attack harder to detect after the fact.

If your organisation builds or deploys web applications and you are not sure what happened on March 31, our supply chain and application security service covers dependency risk, CI/CD pipeline hardening, and incident response readiness. Contact us to discuss your situation.

References

  1. axios Compromised on npm — Malicious Versions Drop Remote Access Trojan — StepSecurity, March 2026
  2. Mitigating the Axios npm supply chain compromise — Microsoft Security Blog, April 2026
  3. Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account — The Hacker News, March 2026
  4. Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT — Snyk, March 2026
  5. Supply Chain Compromise of axios npm Package — Huntress, March 2026
  6. Axios npm Hijack 2026: Everything You Need to Know — IOCs, Impact & Remediation — SOCRadar, April 2026
  7. The best free, open-source supply-chain security tool? The lockfile — Semgrep, 2026
← Back to Blog