Axios npm Supply Chain Attack: Malicious Package Drops Remote Access Trojan

981 words, ~4 min read

---
title: "Axios npm Supply Chain Attack: Malicious Package Drops Remote Access Trojan"
short_title: "Axios npm compromise drops RAT via supply chain"
description: "CISA warns of a supply chain attack on Axios npm packages, injecting malicious dependencies that deploy remote access trojans. Learn how to detect, mitigate, and secure your systems."
author: "Vitus"
date: 2024-10-25
categories: [Cybersecurity, Vulnerabilities]
tags: [axios, npm, supply-chain-attack, malware, remote-access-trojan]
score: 0.85
cve_ids: []
---

## TL;DR
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a supply chain compromise affecting the Axios npm package. Attackers injected a malicious dependency, plain-crypto-js@4.2.1, into versions axios@1.14.1 and axios@0.30.4, which downloads multi-stage payloads, including a remote access trojan (RAT). Organizations must review code repositories, rotate credentials, and block malicious domains to mitigate risks.

Main Content

### Introduction
A supply chain attack targeting the widely used Axios npm package has sent shockwaves through the developer community. On March 31, 2026, cyber threat actors compromised two versions of Axios (axios@1.14.1 and axios@0.30.4) by injecting a malicious dependency, plain-crypto-js@4.2.1. This dependency downloads multi-stage payloads, including a remote access trojan (RAT), from attacker-controlled infrastructure.

Axios, an HTTP client for JavaScript, is a cornerstone in Node.js and browser-based applications, making this compromise particularly alarming. The Cybersecurity and Infrastructure Security Agency (CISA) has released urgent guidance to help organizations detect, remediate, and prevent further exploitation.

### Key Points
- Compromised Versions: axios@1.14.1 and axios@0.30.4 were injected with the malicious dependency plain-crypto-js@4.2.1.
- Malicious Payload: The dependency downloads multi-stage payloads, including a remote access trojan (RAT), from threat actor infrastructure.
- Impacted Environments: Developers using Node.js or browser-based applications with the compromised Axios versions are at risk.
- CISA Recommendations: Organizations must monitor code repositories, rotate credentials, and block malicious domains to mitigate risks.
- Safe Versions: Downgrade to axios@1.14.0 or axios@0.30.3 to avoid exploitation.

Technical Details

#### Attack Vector
The attack leverages a supply chain compromise to distribute malicious code. The threat actors injected the dependency plain-crypto-js@4.2.1 into the legitimate Axios npm packages. When developers ran npm install or npm update, the malicious dependency was automatically downloaded and executed, deploying multi-stage payloads from the domain Sfrclak[.]com.

The payloads included:
- Remote Access Trojan (RAT): Allows attackers to gain persistent access to compromised systems.
- Command and Control (C2) Communication: Enables attackers to exfiltrate data, execute commands, and maintain control over infected systems.

#### Indicators of Compromise (IOCs)
- Malicious Dependency: plain-crypto-js@4.2.1
- Compromised Axios Versions: axios@1.14.1 and axios@0.30.4
- Malicious Domain: Sfrclak[.]com
- Anomalous Network Behavior: Unexpected child processes during npm install or npm update.

Impact Assessment

#### Who Is Affected?
- Developers: Using compromised Axios versions in Node.js or browser environments.
- Organizations: Relying on CI/CD pipelines or code repositories that installed or updated the malicious packages.
- End Users: Applications built with the compromised Axios versions may expose users to data theft, unauthorized access, or further malware distribution.

#### Potential Risks
- Data Breaches: Attackers can exfiltrate sensitive data from compromised systems.
- Unauthorized Access: The RAT provides attackers with persistent access to infected environments.
- Supply Chain Contamination: Malicious code can propagate to downstream applications and services.

Mitigation Steps

CISA recommends the following actions to detect, remediate, and prevent exploitation:

#### Immediate Actions
1. Review and Monitor:
- Audit code repositories, CI/CD pipelines, and developer machines that ran npm install or npm update with the compromised Axios versions.
- Search for cached versions of affected dependencies in artifact repositories and dependency management tools.

2. Revert to Safe Versions:
- Downgrade to axios@1.14.0 or axios@0.30.3.
- Delete the malicious directory: node_modules/plain-crypto-js/.

3. Rotate Credentials:
- Revoke and rotate credentials exposed on affected systems, including:
- Version control system (VCS) tokens
- CI/CD secrets
- Cloud keys
- npm tokens
- SSH keys
- For ephemeral CI jobs, rotate all secrets injected into the compromised run.

4. Block Malicious Domains:
- Monitor and block outbound connections to Sfrclak[.]com.

5. Conduct Threat Hunts:
- Perform continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no IOCs remain.
- Ensure no further egress to the command and control (C2) server.

#### Long-Term Security Measures
1. Enforce Phishing-Resistant MFA:
- Mandate phishing-resistant multifactor authentication (MFA) for all developer accounts, especially on critical platforms.

2. Secure npm Configuration:
- Set ignore-scripts=true in the .npmrc configuration file to prevent malicious scripts from executing during npm install.
- Set min-release-age=7 in .npmrc to only install packages published for at least seven days, reducing the risk of installing unvetted or malicious packages.

3. Establish Behavioral Baselines:
- Create a baseline of normal execution behavior for tools using Axios.
- Alert on anomalous behavior, such as unexpected child processes or network connections.

## Conclusion
The Axios npm supply chain compromise underscores the growing threat of supply chain attacks targeting open-source packages. Developers and organizations must remain vigilant, adopt proactive security measures, and follow CISA’s guidance to mitigate risks. By downgrading to safe versions, rotating credentials, and enforcing secure npm practices, organizations can reduce their exposure to this and future threats.

For more details, refer to the resources below and stay updated on emerging threats in the cybersecurity landscape.

## References
[^1]: GitHub. "Post Mortem: axios npm supply chain compromise #10636". Retrieved 2024-10-25.
[^2]: Microsoft. "Mitigating the Axios npm supply chain compromise". Retrieved 2024-10-25.
[^3]: StepSecurity. "axios Compromised on npm - Malicious Versions Drop Remote Access Trojan". Retrieved 2024-10-25.
[^4]: npm Docs. "Securing your code". Retrieved 2024-10-25.
[^5]: Socket. "Supply Chain Attack on Axios Pulls Malicious Dependency from npm". Retrieved 2024-10-25.