Axios NPM supply chain incident
Contents
Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios node package manager (npm) package during which two malicious versions (v1.14.1 and v0.30.4) were deployed. Axios is one of the more popular JavaScript libraries with as many as 100 million downloads per week.
Axios is a widely-deployed HTTP client library for JavaScript that simplifies HTTP requests, specifically for REST endpoints. The malicious packages were only available for approximately three hours, but if downloaded Talos strongly encourages that all deployments should be rolled back to previous known safe versions (v1.14.0 or v0.30.3). Additionally, Talos strongly recommends users and administrators investigate any systems that downloaded the malicious package for follow-on payloads from actor-controlled infrastructure.
Details of supply chain attack
The primary modification of the packages introduced a fake runtime dependency (plain-crypto-js) that executes via post-install without any user interaction required. Upon execution, the dependency reaches out to actor-controlled infrastructure …
Axios is a widely-deployed HTTP client library for JavaScript that simplifies HTTP requests, specifically for REST endpoints. The malicious packages were only available for approximately three hours, but if downloaded Talos strongly encourages that all deployments should be rolled back to previous known safe versions (v1.14.0 or v0.30.3). Additionally, Talos strongly recommends users and administrators investigate any systems that downloaded the malicious package for follow-on payloads from actor-controlled infrastructure.
Details of supply chain attack
The primary modification of the packages introduced a fake runtime dependency (plain-crypto-js) that executes via post-install without any user interaction required. Upon execution, the dependency reaches out to actor-controlled infrastructure …
IoC
http://142.11.206.73
http://Sfrclak.com
http://setup.js
142.11.206.73
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://Sfrclak.com
http://setup.js
142.11.206.73
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a