lazarusholic

2026-04-02, Veracode
https://www.veracode.com/blog/breaking-down-the-axios-supply-chain-attack/
#Axios #NPM

On March 31, 2026, an attacker compromised the npm account of axios’s primary maintainer and published two malicious versions ([email protected] and [email protected]), each containing a single new dependency: plain-crypto-js. With more than 100 million weekly downloads, the blast radius was enormous. npm pulled both versions within approximately three hours, but the damage window was real. We pulled the malicious package and took it apart. Here’s what we found.
The Phantom Dependency
A binary diff between
[email protected]
[email protected]
reveals exactly one file changed:package.json
. All 85 library source files are bit-for-bit identical. The only modification was a single line added todependencies
:"plain-crypto-js": "^4.2.1"
Here’s what makes this interesting:
plain-crypto-js
is neverrequire()
‘d anywhere in axios. Not in a source file, and not in a test. It exists solely for itspostinstall
hook, a script that runs automatically duringnpm install
. The remaining 55 source files in the package are exact copies of [email protected]
. Only three files were attacker-created:setup.js
,package.json
, and a file calledpackage.md
. More on that …

http://142.11.206.73
http://sfrclak.com
http://sfrclak.com:8000/6202033
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]