1. GuestPosts24.com
  2. Blog
  3. How Axios npm Attack Hit Millions in 2026

How Axios npm Attack Hit Millions in 2026

How Axios npm Attack Hit Millions in 2026

Categories

Trending News

Date

2 hours ago

Post by

Rohan

In late March 2026, a big security problem hit the JavaScript world. The popular library called Axios was attacked through the npm package manager. Axios helps developers make HTTP requests easily and has more than 100 million downloads every week. It is used in hundreds of thousands of projects.

Attackers took control of one of the main maintainers' npm account. They published two bad versions of Axios: version 1.14.1 and version 0.30.4. These versions looked normal but carried a hidden danger. This is called a supply chain attack because the bad code came through a trusted tool that many people use.

This blog explains everything in simple words: what happened, how the attack worked, who might be affected, how to check your computer or server, and what steps you must take right now to stay safe.


What is Axios and Why Was It a Big Target?

Axios is a JavaScript library that makes it simple to send and receive data from websites or servers. Many apps and websites use it every day. Because so many people depend on it, any problem in Axios can affect a huge number of developers, companies, and CI/CD pipelines.

The library has been popular for over 10 years because it makes coding easier. But this popularity also made it a good target for attackers.


Timeline of the Axios npm Attack

Here is what happened step by step:

  • About 18 hours before the main attack, the bad package plain-crypto-js was created.
  • On March 31, 2026, around midnight UTC, the attackers published two malicious versions of Axios.
  • Version 1.14.1 was published at about 00:21 UTC.
  • Version 0.30.4 was published shortly after at about 01:00 UTC.
  • The bad versions stayed on npm for roughly 39 minutes to 3 hours before they were removed.
  • The attack was discovered very quickly during live investigation by security experts.
  • Maintainers took back control of the account and removed the bad packages.

Even though the time was short, many people and automated systems could have installed the bad versions during that window.


How the Attack Worked – Simple Explanation

The attackers did not change the main Axios code. That would have been easy to spot. Instead, they did something clever.

They added one new line in the package.json file. This line added a fake dependency called plain-crypto-js version 4.2.1. This package looks similar to the real crypto-js library but it is completely fake and made only for the attack.

When someone ran "npm install" or updated Axios, the plain-crypto-js package also got installed automatically. This fake package had a special script called post-install script. This script runs right after installation without asking the user.


What Did the Post-Install Script Do?

The script worked like this:

  1. It checked which operating system you were using (Windows, Linux, or macOS).
  2. It connected to a remote command and control server (one address mentioned was sfrclack.com:8000).
  3. It downloaded a second piece of bad software – a Remote Access Trojan (RAT).
  4. The RAT was saved and started running on your machine.
  5. After that, the script cleaned up by deleting itself and the bad files. It even replaced the package.json with a clean version so it looked normal again.

This cleanup made the attack very hard to find later.


What Can the RAT Do?

Once the RAT is running, it gives the attackers full control over the infected machine. It can:

  • Steal passwords, API keys, AWS credentials, OpenAI tokens, SSH keys, and files from Desktop, Documents, and other folders.
  • Stay hidden and keep running.
  • On Windows, it sets itself to start automatically using the registry.
  • Send stolen data back to the attackers.
  • Allow remote commands, code injection, or even kill itself if needed.

The RAT works on Windows, Linux, and macOS, making it very dangerous for many types of systems, including developer laptops and CI/CD servers.


How Did the Attackers Get Into the Axios Account?

The main maintainer’s npm account was hijacked. They used a long-lived access token. The email on the account was changed to a Proton Mail address ([email protected]).
It is still not fully clear how they got the token. Some reports say recovery codes might have been used, even with two-factor authentication turned on. The attackers also bypassed normal GitHub Actions trusted publishing by using direct CLI publish.
This shows that even good security practices can sometimes be beaten if account access is lost.

Who Might Be Affected?

Anyone who installed or updated to Axios version 1.14.1 or 0.30.4 between late March 31, 2026 could be affected.
Remember: You do not need to use Axios directly. Many other packages depend on it, so the bad version could come in silently.
Developer machines, build servers, CI/CD pipelines, and even production environments are at risk if the install happened with scripts enabled.

How to Check If Your System Is Infected – Step by Step

Follow these simple checks:

Step 1: Check Axios Version

Run this command in your project folder:

npm list axios


Look for version 1.14.1 or 0.30.4. If you see it, you may have a problem.

Also check globally:

npm list -g axios


Step 2: Look for the Fake Package

Search your node_modules for plain-crypto-js.

Run:

npm list plain-crypto-js


If it shows up, the attack likely reached your system.

Step 3: Check Lock Files

Open package-lock.json or yarn.lock and search for "1.14.1", "0.30.4", or "plain-crypto-js".


Step 4: Run Platform-Specific Checks

Security experts gave commands for Windows, macOS, and Linux to look for signs of the RAT. (You can find detailed commands in official guides from StepSecurity, Microsoft, or Elastic Security Labs).

Look for any contact with suspicious domains like sfrclack.com or unusual processes.

If You Find Anything Suspicious

Treat your machine as fully compromised. Do not just delete files.


What to Do If You Are Infected – Important Actions

Immediately change (rotate) all API keys, passwords, tokens, and secrets used on that machine. This includes AWS, OpenAI, GitHub, npm, database keys – everything.
  1. Downgrade Axios to a safe version: Use 1.14.0 or 0.30.3.
  2. Delete node_modules and reinstall from clean packages.
  3. Consider wiping and reinstalling the whole system (reimaging) for high-security setups.
  4. Follow full remediation guides from trusted sources like Microsoft or StepSecurity.


Why This Attack Is So Serious

  • It was very stealthy – the real Axios code stayed clean.
  • The cleanup removed most traces.
  • It hit a very popular package used by millions.
  • It worked in CI/CD environments where secrets are often stored.
  • Supply chain attacks like this can spread fast because one small change upstream affects thousands of projects.

This is not the first supply chain attack, but it is one of the most advanced on npm in recent times.


Lessons We Can Learn from the Axios Incident

  1. Never fully trust any third-party package. Even popular ones can be compromised.
  2. Use tools that lock package versions and prevent very new releases (like pnpm with minimum release age).
  3. Keep secrets safe – do not store them in plain .env files on developer machines. Use proper secret managers.
  4. Run development work in isolated environments like Docker or separate virtual machines when possible.
  5. Turn on two-factor authentication everywhere and protect recovery codes carefully.

Monitor your dependencies regularly.

Many experts say we should think twice before adding too many dependencies. Sometimes the built-in fetch in modern JavaScript is enough and safer.

The Axios supply chain attack of March 2026 reminds us how connected and fragile our software world is. One hacked maintainer account was enough to put many systems at risk. If you use JavaScript or Node.js, take a few minutes today to check your projects. Rotate your keys if there is any doubt. Stay careful and keep learning about supply chain security. The open source world depends on trust, but we all need to add smart checks to protect that trust.