Supply Chain Attack on Axios npm Packages
TL;DR
In March 2026, Cisco Talos identified a supply chain attack involving malicious versions of the Axios npm package, widely used in JavaScript development. Users who downloaded these compromised versions are urged to rollback to safe versions and investigate their systems for any potential follow-on impacts.
Main Analysis
On March 31, 2026, Cisco Talos reported a critical supply chain attack targeting the Axios node package, affecting notable versions (v1.14.1 and v0.30.4) that were available for a short duration of three hours. Axios, a prevalent HTTP client library for JavaScript with a staggering 100 million downloads weekly, was compromised through this attack, raising severe concerns due to its extensive use in application development. The modification introduced a fake runtime dependency, plain-crypto-js, which executed automatically after installation without requiring user interaction, facilitating the delivery of malicious payloads tailored to specific operating systems.
The payloads varied by operating system, demonstrating a calculated approach by the threat actors. On MacOS, a binary named “com.apple.act.mond” was downloaded and executed utilizing zsh. Windows users faced a PowerShell script that manipulated a legitimate executable, while Linux systems received a Python backdoor. Collectively, these exploits resulted in the deployment of a remote access trojan (RAT), allowing the attackers to gather sensitive information and possibly execute subsequent attacks.
Cisco Talos emphasized the need for organizational vigilance, as the scope of impact from such supply chain incidents often remains elusive and may unfold over time. The attackers not only exfiltrated credentials but also established remote management capabilities, raising the stakes for any organizations that interacted with the compromised versions. As compromised credentials pose a risk for follow-on attacks, Talos urged organizations to treat any credentials associated with the affected systems as potentially exposed and move swiftly to rotate them.
Defensive Context
Organizations utilizing the Axios library need to prioritize reviewing their dependency management practices. Entities who downloaded the malicious package should focus on an immediate investigation of their systems to identify any unauthorized actions that might have stemmed from the attack, especially if they are responsible for critical applications or manage sensitive data.
Why This Matters
Real-world consequences are significant, especially for organizations actively using JavaScript libraries like Axios for their applications. The multitude of impacted environments underscores the widespread risk posed by the attackers. Companies without adequate monitoring or dependency checks may find themselves vulnerable to follow-on breaches.
Defender Considerations
Detection efforts should be intensified, particularly around the identified IP address (142[.]11[.]206[.]73) and domains (Sfrclak[.]com) linked to the attack. Organizations should investigate any systems that may have downloaded the malicious packages and ensure that they revert to previous known good versions (v1.14.0 or v0.30.3). Maintain vigilance for any signs of RAT activity in logs, especially for services routinely targeted in similar supply chain attacks.
Indicators of Compromise (IOCs)
– IP Address: 142[.]11[.]206[.]73
– Domains: Sfrclak[.]com
– SHA256:
– e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (setup[.]js)
– fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (Linux)
– 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (Windows)
– 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (MacOS)
– ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (6202033.ps1)
