One of the most popular JavaScript packages on earth Axios has been compromised
Contents
One of the most popular JavaScript packages on earth Axios has been compromised
The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever
6mile
March 31, 2026
15 min read
npm
axios
github
Axios Compromised
Dissecting a Sophisticated NPM Supply Chain Attack: The axios + plain-crypto-js Malware Campaign
TL;DR: The npm packages axios v1.14.1 and v0.30.4 were compromised with a malicious dependency plain-crypto-js that deploys cross-platform Remote Access Trojans (RATs). The malware uses multi-stage infection, heavy obfuscation, and OS-specific payloads to achieve persistent remote access. C2: sfrclak.com (142.11.206.73:8000).
Introduction
Supply chain attacks targeting package managers have become increasingly sophisticated. In this analysis, we dissect a particularly well-crafted attack that compromised the popular axios HTTP client library by injecting a malicious dependency called plain-crypto-js. This campaign demonstrates advanced tradecraft including multi-stage payloads, platform-specific RATs, and clever …
The Axios NPM package has been compromised and the maintainer of the project has been locked out of their account. This will go down in history as one of the most successful software supply chain attacks ever
6mile
March 31, 2026
15 min read
npm
axios
github
Axios Compromised
Dissecting a Sophisticated NPM Supply Chain Attack: The axios + plain-crypto-js Malware Campaign
TL;DR: The npm packages axios v1.14.1 and v0.30.4 were compromised with a malicious dependency plain-crypto-js that deploys cross-platform Remote Access Trojans (RATs). The malware uses multi-stage infection, heavy obfuscation, and OS-specific payloads to achieve persistent remote access. C2: sfrclak.com (142.11.206.73:8000).
Introduction
Supply chain attacks targeting package managers have become increasingly sophisticated. In this analysis, we dissect a particularly well-crafted attack that compromised the popular axios HTTP client library by injecting a malicious dependency called plain-crypto-js. This campaign demonstrates advanced tradecraft including multi-stage payloads, platform-specific RATs, and clever …