Elastic releases detections for the Axios supply chain compromise
Contents
Elastic Security Labs is releasing an initial triage and detection rules for the Axios supply-chain compromise. We have released a detailed analysis on the Axios compromise RAT and payloads.
Elastic Security Labs filed a GitHub Security Advisory to the axios repository on March 31, 2026 at 01:50 AM UTC to coordinate disclosure and ensure the maintainers and npm registry could act on the compromised versions.
Introduction
We are currently tracking a supply chain attack involving malicious Axios package versions that introduce a secondary dependency used for post-install execution. Rather than embedding malicious logic directly into the primary package, the attacker leveraged a transitive dependency to trigger execution during installation and deploy a cross-platform payload.
Elastic observed consistent execution patterns across impacted systems immediately after npm install
of the malicious Axios versions (1.14.1
, 0.30.4
). The added dependency ([email protected]
) executed during postinstall
and was quickly followed by a second-stage payload.
Across Linux, Windows, and macOS, the activity followed the …
Elastic Security Labs filed a GitHub Security Advisory to the axios repository on March 31, 2026 at 01:50 AM UTC to coordinate disclosure and ensure the maintainers and npm registry could act on the compromised versions.
Introduction
We are currently tracking a supply chain attack involving malicious Axios package versions that introduce a secondary dependency used for post-install execution. Rather than embedding malicious logic directly into the primary package, the attacker leveraged a transitive dependency to trigger execution during installation and deploy a cross-platform payload.
Elastic observed consistent execution patterns across impacted systems immediately after npm install
of the malicious Axios versions (1.14.1
, 0.30.4
). The added dependency ([email protected]
) executed during postinstall
and was quickly followed by a second-stage payload.
Across Linux, Windows, and macOS, the activity followed the …
IoC
http://packages.npm.org/product0
http://sfrclak.com:8000/6202033
http://packages.npm.org/product1
http://142.11.206.73
http://packages.npm.org/product2
http://sfrclak.com
http://sfrclak.com:8000/
142.11.206.73
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://sfrclak.com:8000/6202033
http://packages.npm.org/product1
http://142.11.206.73
http://packages.npm.org/product2
http://sfrclak.com
http://sfrclak.com:8000/
142.11.206.73
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a