MDR
Solutions
Partners
About
Resources
Affected Environment
Organisations using axios npm 1.14.1 or 0.30.4, and any build chains that pulled these. Any environment with node_modules/plain-crypto-js present should be treated as exposed.
Threat Overview
Attackers hijacked the axios npm package using a stolen token and added a ghost dependency. The dependency deployed a cross-platform RAT with anti-forensic “self-healing” behaviour.
Exposure Timeline
Malicious plain-crypto-js and axios versions were published late 30–31 March 2026. npm removed the axios versions and placed a security hold on the dependency on 31 March.
Attack Surface
Exposure exists wherever compromised axios versions or plain-crypto-js were installed. Both direct and transitive npm dependencies increase the likelihood of silent adoption.
Technical Root Cause
Attackers used a long-lived npm access token to bypass GitHub OIDC safeguards. Malicious packages were manually published, missing trustedPublisher and gitHead fields.
Exploitation Pathway
Installing the backdoored axios versions pulled in plain-crypto-js as a ghost dependency. Its RAT executed, then altered local package metadata to disguise the malicious version.
Operational Impact
Compromise enables remote access, persistence, process inventory and data exfiltration. macOS, Windows and Linux hosts may be affected, including development and CI systems.
Strategic Impact
This incident shows that compromised developer tokens can bypass CI-based protections. It highlights systemic supply chain risk from widely used npm packages and dependencies.
Required Mitigation
Remove malicious axios versions and plain-crypto-js; downgrade to axios 1.14.0 or 0.30.0. Use overrides to block these versions, rotate all secrets, and block listed C2 indicators.
Incident Response Guidance
Hunt for IoCs: malicious package versions, RAT disk artifacts, and C2 network activity. If artifacts are present, rebuild affected systems from known-good images before reuse.
References
Source details are in Smarttech247 research and cited public analyses of the axios attack. Key references include reports from The Hacker News, Aikido, StepSecurity, and OX Security.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)