CISA warns Axios npm compromise delivered a RAT in a major supply chain attack
6 min. read 
Published on
CISA has warned that the Axios npm package was compromised in a supply chain attack that delivered a remote access trojan to developers who installed two malicious releases. The affected versions were [email protected] and [email protected], both published on March 31, 2026 through a compromised maintainer account.
The incident stands out because Axios is one of the most widely used JavaScript HTTP clients in the ecosystem. Microsoft said the malicious packages targeted projects that resolved to versions above axios@^1.14.0 or axios@^0.30.0, which means fresh installs in developer machines, build servers, and CI/CD pipelines could have pulled the backdoored releases automatically.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
CISA’s April 20 alert said the malicious Axios versions introduced a dependency named [email protected]. That package then connected to attacker-controlled infrastructure and fetched a second-stage RAT, creating a direct path from a routine package install to compromise of development environments.
What happened in the Axios compromise
Axios maintainer Jason Saayman said in a public post-mortem that the malicious versions were published through his compromised npm account and stayed live for about three hours before removal. He said both versions injected [email protected], which installed a RAT on macOS, Windows, and Linux.
Microsoft’s security team said the malicious dependency contacted a command-and-control domain owned by Sapphire Sleet to retrieve the next-stage malware. That made the incident more than a simple package tampering event. It became an active malware delivery chain tied to a known threat actor cluster.
StepSecurity, which first flagged the compromise publicly, said the plain-crypto-js package was never imported anywhere in Axios source code. Its value to the attacker came from its install-time behavior, not from application logic. That is a classic signal of a supply chain implant built to execute during dependency installation rather than during normal runtime.
Why this attack is so serious
A compromised developer dependency can hit far more than one app. It can expose laptops, build agents, package pipelines, repository credentials, signing keys, and cloud secrets, all from a single trusted install command. CISA’s alert tells organizations to review developer endpoints, source repositories, and CI/CD systems immediately because any environment that ran npm install, npm ci, or npm update against the malicious versions may have been exposed.
The RAT angle raises the stakes further. Microsoft said the malicious packages downloaded a second-stage RAT from the attacker’s infrastructure, while multiple security firms described it as a cross-platform backdoor capable of reaching macOS, Linux, and Windows systems. That means the blast radius extends well beyond one repository or one package lockfile.
Because Axios is so widely used, the exposure window matters even though the bad versions were removed quickly. Security researchers noted that popular packages can propagate into many fresh builds in just a few hours, especially in automated environments that resolve new versions without strong release-delay controls.
What versions were affected
The malicious Axios releases were 1.14.1 and 0.30.4. Saayman’s post-mortem and Microsoft’s mitigation guidance both identify those as the compromised versions. Safe downgrade targets include [email protected] and [email protected].
The malicious dependency was [email protected]. StepSecurity, Socket, and Microsoft all tied that package to the malware chain, and CISA echoed the same dependency name in its alert.
Researchers also noted that the malicious dependency looked like a typo-style attempt to resemble the legitimate crypto-js package. That naming choice helped it blend in during review and reduced the chance that developers would notice the new dependency immediately.
At a glance
| Item | Detail |
|---|---|
| Compromised package | Axios |
| Malicious versions | [email protected], [email protected] |
| Malicious dependency | [email protected] |
| First-stage impact | Malicious dependency installed during package installation |
| Second-stage impact | RAT downloaded from attacker infrastructure |
| Safe versions to use | [email protected], [email protected] |
Supported by CISA, Axios, and Microsoft guidance.
What organizations should do now
Organizations should first identify every place Axios was installed or updated around March 31, 2026. CISA says teams should review code repositories, developer workstations, and CI/CD pipelines, then revert impacted environments to a known safe state if compromised dependencies are found.
The next step is cleanup and credential response. CISA says defenders should remove node_modules/plain-crypto-js/, downgrade Axios to 1.14.0 or 0.30.3, revoke and rotate exposed credentials, and block outbound access to sfrclak[.]com. Microsoft’s guidance aligns closely with those steps.
Teams should also assume deeper exposure where suspicious installs occurred. Several security firms recommended treating affected environments as potentially fully compromised because the malware ran during installation and delivered a remote access payload, not just a one-off info stealer or nuisance script.
Long-term lessons for npm security
CISA’s alert highlights a broader dependency risk that many organizations still underestimate. A trusted package can become an attack vector if the maintainer account or release process is compromised, even when the source repository itself shows no obvious malicious commit history.
Microsoft and other responders recommended stronger package hygiene, including reviewing install-time scripts, tightening account security, and adding controls that slow automatic adoption of newly published versions. The source you shared also mentions .npmrc hardening such as ignore-scripts=true and min-release-age=7, which matches the general direction security teams have pushed after this incident.
This attack also shows why release-delay policies matter. If organizations allow every new package version into production the moment it appears, the window between malicious publication and internal compromise becomes extremely small. A short delay, combined with behavior monitoring and strong account security, can block a large share of this type of supply chain abuse. This is an inference supported by the short live window of the malicious Axios releases and the rapid downstream risk described by responders.
Recommended actions
- Downgrade Axios to
1.14.0or0.30.3. - Remove
node_modules/plain-crypto-js/from any affected project. - Rotate cloud keys, npm tokens, SSH keys, and CI/CD secrets if affected installs occurred.
- Block outbound traffic to
sfrclak[.]comand inspect for related connections. - Review developer endpoints and build systems for unexpected child processes or suspicious network activity during npm installs.
- Add stricter npm controls, including safer handling of install scripts and delayed adoption of brand-new package releases.
FAQ
The compromised releases were [email protected] and [email protected].
The malicious dependency was [email protected].
It contacted attacker infrastructure and downloaded a second-stage RAT onto the victim system.
Not always. If the malicious versions were installed, responders recommend broader incident-response steps such as credential rotation, environment review, and reverting to a known safe state.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages