Post Mortem: axios npm supply chain compromise
Contents
-
-
Notifications
You must be signed in to change notification settings - Fork 11.6k
Post Mortem: axios npm supply chain compromise #10636
Description
Post Mortem: axios npm supply chain compromise
Date: March 31, 2026
Author: Jason Saayman
Status: Remediation in progress
On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were published to the npm registry through my compromised account. Both versions injected a dependency called [email protected]
that installed a remote access trojan on macOS, Windows, and Linux.
The malicious versions were live for about 3 hours before being removed.
Are you affected?
Check your lockfile:
grep -E "axios@(1\.14\.1|0\.30\.4)|plain-crypto-js" package-lock.json yarn.lock 2>/dev/null
If anything comes back, treat that machine as compromised:
- Downgrade to
[email protected]
(or0.30.3
for 0.x users) - Delete
node_modules/plain-crypto-js/
- Rotate every secret, token, and credential on that machine
- Check your network logs for connections to
sfrclak[.]com
or142.11.206.73
on port 8000 - If this happened on a CI runner, rotate any secrets that were injected during the affected build
If you were already pinned to a clean version and …
-
Notifications
You must be signed in to change notification settings - Fork 11.6k
Post Mortem: axios npm supply chain compromise #10636
Description
Post Mortem: axios npm supply chain compromise
Date: March 31, 2026
Author: Jason Saayman
Status: Remediation in progress
On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were published to the npm registry through my compromised account. Both versions injected a dependency called [email protected]
that installed a remote access trojan on macOS, Windows, and Linux.
The malicious versions were live for about 3 hours before being removed.
Are you affected?
Check your lockfile:
grep -E "axios@(1\.14\.1|0\.30\.4)|plain-crypto-js" package-lock.json yarn.lock 2>/dev/null
If anything comes back, treat that machine as compromised:
- Downgrade to
[email protected]
(or0.30.3
for 0.x users) - Delete
node_modules/plain-crypto-js/
- Rotate every secret, token, and credential on that machine
- Check your network logs for connections to
sfrclak[.]com
or142.11.206.73
on port 8000 - If this happened on a CI runner, rotate any secrets that were injected during the affected build
If you were already pinned to a clean version and …
IoC
http://1.14.1|0.30.4|plain-crypto-js
http://sfrclak.com
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://sfrclak.com
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]