Axios Supply Chain Attack: Lock Versions, Disable Scripts

On March 31, 2026, one of the world's most downloaded JavaScript libraries named Axios with (100M+ installs/week) was poisoned, due to a social engineering attack on the primary developer and stealing his account credential to publish the malicious version. Axios versions 1.14.1 and 0.30.4 shipped with a hidden remote access trojan that executed the moment developers ran npm install. For 3 hours, the "latest" tag or version pointed to malware. If you updated axios between 00:21–03:15 UTC window, your system is likely compromised. Here's your reading list: • How a stolen npm token bypassed GitHub Actions entirely • Why detection failed (the obvious red flag no one caught) • The 60-minute remediation checklist that actually works • Why this keeps happening—and how to stop it This isn't just about axios. This is about the structural weakness in how we've built modern software infrastructure. I just published a deep technical breakdown covering: - The account takeover mechanism - How plain-crypto-js evaded detection - Why provenance metadata matters - What changes need to happen at npm - The defense strategies that actually work Read the full analysis: https://lnkd.in/gT85iMWg If you're managing dependencies at scale, or tired of finding out about compromises after they hit production—this one's for you. The packages you trust today could be poisoned tomorrow. The only defense is staying paranoid. #Security #DevOps #JavaScript #SupplyChainSecurity #Cybersecurity

🚨 I’m late to this… but every developer should see this. A recent issue involving axios exposed a serious risk 👇 Not a bug. Not a crash. 👉 A supply chain attack. ⚠️ What actually happened? Attackers compromised the npm ecosystem and published malicious Axios versions (1.14.1, 0.30.4). These versions secretly included a harmful dependency: -plain-crypto-js@4.2.1 (malicious package) -Installed automatically during npm install -Executed hidden scripts This payload could: -Steal sensitive data 🔐 -Execute commands remotely -Install a Remote Access Trojan (RAT) 💥 The scary part? This wasn’t a fake package… 👉 It was published from a compromised official account Meaning even trusted libraries can become attack vectors 🛡️ What you should do -Avoid affected versions: 1.14.1, 0.30.4 -Audit your package-lock.json / yarn.lock -Rotate API keys if exposed -Reinstall dependencies from clean sources -Use security tools (Snyk, npm audit, etc.) 🔗 Reference https://lnkd.in/gCtkpb5w 💡 Final thought This post may be late… But the lesson isn’t. 👉 Don’t just trust packages — verify them. #FullStackDeveloper #FrontendDeveloper #BackendDeveloper #WebDeveloper #JavaScript #TypeScript #NodeJS #ReactJS #Angular #VueJS #SoftwareEngineer #SoftwareDevelopment #Coding #Programming #CyberSecurity #AppSecurity #InfoSec #OWASP #SupplyChainAttack #OpenSource #DevCommunity #TechCommunity #Developers #CloudComputing #DevOps #SystemDesign #TechAwareness

Something serious happened yesterday and most developers don't know about it yet. Two things hit at the same time on March 31st. First - The axios attack. Axios is one of the most used npm libraries in the world. 100 million downloads every week. Someone hacked the maintainer's npm account, locked them out, and pushed two poisoned versions — 1.14.1 and 0.30.4. These versions had a RAT inside them. A Remote Access Trojan. Meaning if it ran on your machine, someone else could access it remotely. The scary part? They didn't touch GitHub at all. They pushed directly through npm's CLI so no one would notice. Google's security team traced this back to a North Korean hacker group called UNC1069. This was not random. This was planned. Second — Claude Code's source code leaked. Anthropic shipped an update to Claude Code and accidentally bundled an internal debug file with it. That file pointed to a cloud folder with nearly 500,000 lines of their internal code. Within two hours it had 50,000 GitHub stars. Anthropic confirmed it was human error, not a hack. Two separate incidents. Same day. Terrible timing. Who should be worried? If you ran npm install or updated Claude Code between 12:21 AM and 3:29 AM UTC on March 31st — check your machine right now. Run this: grep -r "1.14.1\|0.30.4\|plain-crypto-js" package-lock.json If you see those versions or a package called plain-crypto-js anywhere in your lockfile your machine may already be compromised. Rotate every secret key, API token, and password you have. Don't wait. What should you do now? Stop installing Claude Code via npm. Anthropics themselves now recommend the native installer: curl -fsSL https://lnkd.in/gVmfAMxz | bash Enable 2FA on your npm account if you haven't. Check your lockfiles. Audit dependencies you haven't looked at in months. Rotate secrets even if you think you're fine. Who's to blame? The axios hack — hackers stole the maintainer's account. Not his fault. The attackers were sophisticated and patient. The Claude Code leak — someone at Anthropic packaged the wrong files into a public release. Honest mistake but a bad one. Here's the thing nobody talks about. We spend so much time worried about whether AI is safe. But yesterday showed the real risk isn't the AI model. It's the npm package you installed six months ago without thinking twice. We're building serious products on dependencies we've never audited. One hijacked package. One bad update. That's enough. Check your lock file. Rotate your keys. And please share this with your team. #CyberSecurity #ClaudeCode #axios #npm #SupplyChainAttack #DeveloperTips #LearnAISeries

🚨 OpenAI disclosed a macOS app certificate revocation after a malicious supply chain event involving the Axios library impacted their GitHub Actions workflow on March 31. Though no user data or internal systems were compromised, this incident highlights vulnerabilities in code-signing automation. 📊 Key details: - The malicious Axios library was downloaded via a compromised GitHub Actions workflow. - Certificate revocation was enacted immediately to protect app legitimacy. - The supply chain compromise surfaced within hours, limiting exposure time. - No internal OpenAI environment or user data were affected. - This is part of a larger trend with 30% of software supply chain attacks exploiting CI/CD pipelines in Q1 2026. 🔍 The threat leveraged dependency injection during build automation, a high-risk vector for supply chain attacks. OpenAI's swift action to revoke app certificates and audit CI/CD workflows demonstrates an essential defensive strategy in limiting dwell time and potential lateral movement. Security teams must incorporate continuous supply chain integrity checks and multi-factor code-signing to mitigate such risks effectively. 💭 The incident underscores why hardening CI/CD pipelines and scrutinizing build dependencies must be a top priority across development frameworks. The data speaks for itself—code-signing certificates are critical control points that attackers target for widespread impact. #ThreatIntelligence #SupplyChainAttack #CI_CD #Malware #CodeSigning #SecureDevelopment #CyberResilience #SoftwareSecurity #OpenSourceSecurity #IncidentResponse source: https://lnkd.in/g5zP4jQT

🚨 A package you trust. 300M downloads/week. Compromised for 2 hours. That was enough. On March 31, 2026 — axios was weaponized in a supply chain attack. Here's what happened. An attacker hijacked a legitimate axios maintainer account on npm and published: → axios@1.14.1 → axios@0.30.4 Both versions were live for ~3 hours (00:21 – 03:29 UTC). Anyone running npm install in that window pulled down a Remote Access Trojan (RAT). ⚙️ HOW IT WORKED: No axios source code was touched. Instead, a hidden dependency plain-crypto-js@4.2.1 was injected. Its postinstall hook automatically: 1️⃣ Detected your OS 2️⃣ Downloaded a platform-specific RAT from a C2 server 3️⃣ Deleted all evidence of itself 🍎 macOS → Fake Apple daemon, beaconed every 60s 🪟 Windows → PowerShell RAT disguised as wt.exe 🐧 Linux → Python script at /tmp/ld.py 🔴 CHECK IF YOU'RE AFFECTED: grep -E '1\.14\.1|0\.30\.4' package-lock.json npm ls plain-crypto-js IOCs to hunt: • macOS: /Library/Caches/com.apple.act.mond • Windows: %PROGRAMDATA%\wt.exe • Linux: /tmp/ld.py • Network: sfrclak[.]com / 142.11.206.73:8000 🛡️ PROTECT YOUR PIPELINES: ✅ Use npm ci — not npm install — in CI/CD ✅ Add --ignore-scripts to block postinstall hooks ✅ Pin versions & commit your lockfiles ✅ Integrate Snyk or Socket into your pipeline ✅ Monitor outbound connections from build agents If affected → isolate immediately, rotate ALL secrets, rebuild from clean. This wasn't a zero-day. It was a compromised account + ecosystem trust + an unprotected postinstall hook. Lockfiles are your first line of defense. npm ci --ignore-scripts is your second. Don't wait for the next axios. Audit your pipelines today. Blog Link: https://lnkd.in/dHXBjkdY #DevOps #DevSecOps #SupplyChainSecurity #CyberSecurity #npm #axios #CICD #AppSec #InfoSec #OpenSourceSecurity #PipelineSecurity #SecurityEngineering #CloudSecurity #ZeroTrust

🚨 Axios Supply Chain Attack A Critical Lesson for Developers & Security Teams A major supply chain compromise has impacted one of the most widely used JavaScript libraries, Axios. On March 31, 2026, attackers gained access to a maintainer’s npm account and published malicious versions: axios@1.14.1 axios@0.30.4 These versions included a hidden dependency (plain-crypto-js) that executed a post-install script, deploying a cross-platform Remote Access Trojan (RAT) affecting macOS, Windows, and Linux. According to Snyk, this attack allowed malware to execute simply by running npm install, meaning developers, CI/CD pipelines, and build systems could be compromised without any code changes. (Snyk) This was not a typical vulnerability. The attacker leveraged trust in the ecosystem by injecting a malicious dependency into an official package release. 📌 Official Advisory (CSA Singapore): https://lnkd.in/ghr7FUPn 📌 GitHub Incident Thread: https://lnkd.in/gWHuPPzY 📌 Deep Technical Breakdown (Snyk): https://lnkd.in/gErdDc86 🔍 What you should do Avoid axios@1.14.1 and axios@0.30.4 Audit lockfiles for affected versions Check for plain-crypto-js in dependencies Rotate credentials if exposure is possible Review CI/CD logs for unusual install-time activity Rebuild affected systems from a clean state if needed 🧠 Key takeaway This incident reinforces a critical shift in security: 👉 The biggest risk is no longer just vulnerabilities in code 👉 It is trust in the software supply chain itself Even highly trusted packages can become attack vectors within minutes when distribution channels are compromised. Strong practices like lockfile enforcement, dependency pinning, controlled updates, and monitoring install-time behavior are now essential. #CyberSecurity #SupplyChainSecurity #NodeJS #DevSecOps #Infosec

🚨 URGENT: Major Supply Chain Attack on Axios Library! If you are a developer or managing a tech team, stop what you are doing and check your dependencies immediately. A critical security breach has been identified in Axios, one of the most widely used JavaScript libraries for API calls. What happened? Hackers compromised an Axios maintainer's account and injected a malicious package directly into the source code. This isn't just a bug—it’s a targeted supply chain attack. The Risk: The compromised versions deploy a Remote Access Trojan (RAT), giving attackers full control over the infected system. Check your projects for these compromised versions: v0.30.4 v1.14.1 Immediate Actions Required: 1. Audit Your Repo: Search your package.json and lockfiles for the versions mentioned above. 2. Update or Remove: Upgrade to a patched version immediately or remove the library if an update isn't available. 3. Rotate Credentials: If you were running these versions, assume your environment variables are compromised. Change all API keys, secrets, and passwords immediately. 4. AI Tool Warning: If you use AI agents like Claude Code or Codex, be extremely cautious. These tools may automatically install the latest (and potentially compromised) versions while executing tasks. Don't wait until you're breached. Security is a collective responsibility—share this with your fellow devs to keep the ecosystem safe! 🛡️ #WebDev #CyberSecurity #Javascript #Programming #Axios #SupplyChainAttack #SoftwareEngineering

🚨 Axios Supply Chain Attack – A Wake-Up Call for Developers In the last couple of days, the developer community witnessed yet another supply chain attack, this time involving Axios (or related npm packages). 👉 Important clarification: This was NOT a flaw in Axios itself, but a compromised package version published to npm. --- 🔍 What actually happened? An attacker likely gained access to a maintainer account or npm token and pushed a malicious version of the package. This version potentially: - Exfiltrated environment variables - Leaked API keys, JWT secrets, DB credentials - Sent sensitive data to external servers --- ⚠️ Why this is serious If your project installed the affected version: - Your backend secrets could be exposed - CI/CD pipelines might be compromised - Production systems could be at risk --- 🛡️ Immediate actions you should take ✅ Check installed version of Axios ✅ Reinstall dependencies with a clean lockfile ✅ Rotate ALL secrets (don’t skip this!) ✅ Audit your dependencies ("npm audit") ✅ Monitor unusual outbound traffic --- 💡 Lessons for every developer This incident reinforces a harsh reality: 👉 Your application is only as secure as your dependencies Start adopting: - Exact version pinning (avoid "^" and "~") - Lockfile enforcement ("npm ci") - Dependency scanning tools (Snyk, Dependabot) - Secure handling of npm tokens in CI/CD --- 🧠 Final thought We often focus on writing secure code, but modern attacks are shifting toward what we install, not what we write. Stay alert. Stay updated. Stay secure. 🔐 #CyberSecurity #NodeJS #JavaScript #WebDevelopment #SupplyChainAttack #DevSecOps #SoftwareEngineering

JavaScript devs this one's serious. Please take 2 minutes to read this. Yesterday someone pulled off one of the scariest npm attacks I've seen in a while. axios the HTTP library literally every Node.js project uses got backdoored. The attacker didn't do anything flashy. They just quietly took over the npm account of axios's lead maintainer, changed the email, locked him out, and pushed two malicious versions (1.14.1 and 0.30.4). That's it. No dramatic code injection into axios itself they just slipped in a fake dependency called plain-crypto-js that ran a postinstall script and dropped a Remote Access Trojan on your machine. Mac, Windows, Linux all affected. It was live for about 3 hours. 3 hours on a package with 100M+ weekly downloads. North Korean state-sponsored hackers are being blamed for this one, which honestly explains the level of sophistication double obfuscated dropper, platform-specific payloads, anti-forensic cleanup. This wasn't some script kiddie. If your CI/CD pipeline or dev machine ran npm install anywhere between 00:21 and 03:29 UTC on March 31, you need to act now: Check your lock file first: grep -E '1.14.1|0.30.4' package-lock.json If you're affected, don't just update the package and move on. Assume full breach. Revoke everything API keys, SSH keys, GitHub tokens, cloud credentials. All of it. Check your outbound traffic for any connections to sfrclak[.]com The packages are gone from npm now, but if they ran on your system, the malware already did its job. What frustrates me most about this is how simple the actual attack was. The npm ecosystem trusts maintainer accounts completely and that's the vulnerability. Not the code. The trust. Lock down your machines. Talk to your team. And maybe finally look into tools that verify package integrity before install. Stay safe everyone #JavaScript #NodeJS #CyberSecurity #OpenSource #SupplyChainAttack #axios