Attackers stole a long-lived NPM access token belonging to the lead maintainer of Axios, the most popular HTTP client library in JavaScript, and used it to publish two poisoned versions that install a cross-platform remote access trojan. The malicious releases target macOS, Windows, and Linux. They were live on the npm registry for about three hours before being removed.
Axios gets over 100 million downloads per week. Viz reports that this sits at about 80% of cloud and code environments, touching everything from React front-ends to CI/CD pipelines to serverless functions. Huntress detected the first infection 89 seconds after the malicious package went live and confirmed at least 135 compromised systems among its customers during the exposure window.
This is the third major npm Supply chain agreement in seven months. Each exploited the escort’s reputation. This time, Target had adopted every defense recommended by the security community.
One Credential, Two Branches, 39 minutes
the attacker captured npm The account of @jasonsaayman, a prominent Axios maintainer, changed the account’s email to an anonymous ProtonMail address, and published poisonous packages through it npmCommand-line interface of. This completely bypassed the project’s GitHub Actions CI/CD pipeline.
The attacker never touched the Axios source code. Instead, both release branches received a new dependency: plain-crypto-js@4.2.1. No part of the codebase imports it. The package exists only to run a postinstall script that drops a cross-platform RAT on the developer’s machine.
The staging was perfect. Eighteen hours before Axios’ release, the attacker published a clean version of plain-crypto-js under a different npm Account to build publishing history and avoid new-package scanner alerts. Then came weaponized 4.2.1. Both release branches hit within 39 minutes. Three platform-specific payloads were pre-built. The malware deletes itself after execution and transforms into a clean package.json to thwart forensic inspection.
StepSecurity, which identified the compromise with Socket, called it one of the most operationally sophisticated supply chain attacks ever recorded against a top-10 network. npm package.
the defense that was on the papers
Axios did the right thing. Valid 1.x releases pushed via GitHub Actions npmOIDC’s Trusted Publisher Mechanism, which cryptographically links each publication to a verified CI/CD workflow. The project includes SLSA provenance verification. By every modern measure, the security stack looked solid.
None of this matters. Huntress dug into the publishing workflow and found differences. The project still passed NPM_TOKEN As an environment variable right next to the OIDC credentials. When both are present, npm Defaults to token. For a long time the classic token was the de facto authentication method for every publication, regardless of how OIDC was configured. The attacker was never supposed to defeat the OIDC. They went around it. A legacy token was sitting there as a parallel authentication path, and npmIts own hierarchy quietly gave it priority.
“From my experience in AWS, it is very common for legacy authorization mechanisms to be stuck,” said Merritt Baer, CSO of Encrypt AI and former deputy CISO at AWS, in an exclusive interview with VentureBeat. “Modern controls get deployed, but if legacy tokens or keys are not removed, the system silently favors them. As we saw with SolarWinds, where legacy scripts bypassed the new monitoring.”
The maintainer posted on GitHub after discovering the compromise: “I’m trying to get support to understand how this happened. I have 2FA/MFA on practically everything I interact with.”
Endor Labs documented the forensic difference. valid axios@1.14.0 Featured OIDC provenance, a trusted publisher record, and a githead linking to a specific commit. malicious axios@1.14.1 Nobody was there. Any provenance checking device would have immediately flagged the difference. But provenance verification is opt-in. None of the registry gates rejected the package.
Three attacks, seven months, same root cause
Three npm The supply chain gets compromised within seven months. Each started out with stolen escort credentials.
The Shai-Hulud worm arrived in September 2025. A single phished maintainer account gave the attackers a foothold, self-replicating, harvesting over 500 packages. npm As it spread, tokens, cloud credentials, and GitHub secrets. CISA issued advisory. GitHub improvements npm’End-to-end authentication model in React.
Then in January 2026, Koi Security’s PackageGate research uncovered six zero-day vulnerabilities in NPM, pnpm, vltAnd Ban penetrated the very protection of the ecosystem adopted after Shai-Hulud. Lockfile integrity and script-blocking both failed under specific circumstances. Three of the four package managers reached a settlement within a few weeks. NPM closed the report.
Now Axios. A stolen long-lived token published a RAT via both release branches despite every subsequent hardening measure from OIDC, SLSA, and Shai-Hulud.
npm Real reforms were sent after Shai-Hulud. Creation of new Classic tokens was discontinued, although pre-existing tokens survived the hard deadline of cancellation. FIDO 2FA became mandatory, granular access tokens were limited to seven days for publishing, and trusted publishing through OIDC gave projects a cryptographic option for stored credentials. Overall, those changes tightened everything downstream of the maintainer account. What he didn’t change was his account. Credibility remained the single point of failure.
“Credential compromise is a recurring theme npm The breach,” Baer said, “is not just a problem of a weak password. This is structural. Without ephemeral credentials, enforced MFA, or isolated creation and signing environments, maintainer access remains the weak link.
What npm sent vs how this attack went through
| What do SOC leaders need? |
|
vs axios attack |
difference |
|
Prevent stolen tokens from publishing |
FIDO 2FA is required. Granular Token, 7 day expiration. classic token rejected |
Was sidelined. The legacy token co-existed with OIDC. |
No enforcement removes legacy tokens when OIDC is configured |
|
Verify Package Origin |
OIDC Trusted Publishing via GitHub Actions. SLSA Verification |
Was sidelined. The malicious versions had no origin. Publish via CLI |
No gate rejects packages that are missing from already existing projects |
|
Catch malware before it installs |
socket, sneak, aikido automatic scanning |
Partial. Socket flagged in 6 minutes. First transition occurred in 89 seconds |
The detection-to-removal gap. Scanners catch it, it takes hours to remove registry |
|
Block postinstall execution |
– Ignore recommended scripts in CI/CD |
Not implemented. |
Postinstall remains the primary malware vector in every major |
|
lock dependency version |
via lockfile enforcement |
Only effective if the lockfile is committed before compromise. Caret ranges auto-resolve |
carat ranges are |
What to do in your enterprise now
SOC leaders whose organizations run Node.js should treat this as a proactive incident until they have verified clean systems. The three-hour exposure window fell during peak development hours in Asia-Pacific time zones, and any CI/CD pipeline that ran the npm install overnight could automatically pull the compromised version.
“The first priority is impact assessment: Which builds and downstream consumers absorbed the compromised package?” Baer said. “Then prevention, patching, and finally, transparent reporting to leadership. What happened, what was exposed, and what controls will prevent a repetition. The lessons from Log4J and Event-Stream show speed and clarity matter as much as the fix itself.”
- Check exposure. Search lockfiles and CI logs
axios@1.14.1,axios@0.30.4Orplain-crypto-js. Pin itaxios@1.14.0Oraxios@0.30.3. -
Assume agreement when hit. Rebuild affected machines from a known-good state. Rotate every accessible credential: npm tokens, AWS keys, SSH keys, cloud credentials, CI/CD secrets, .env values.
-
Block C2. Add sfrclak.com and 142.11.206.73 to DNS blocklist and firewall rules.
-
Check for RAT artifacts.
/Library/Caches/com.apple.act.mondOn macOS.%PROGRAMDATA%\wt.exeOn Windows./tmp/ld.py on Linux. If found, perform a full rebuild. -
Hard moving forward. To apply
npm ci --ignore-scriptsIn CI/CD. Only lockfile install required. Reject missing packages from projects that previously had it. Audit whether legacy tokens exist in your own publishing workflow with OIDC.
No one closed the credential gap
Three attacks in seven months. Each different in execution, same in root cause. npm’s security model still treats individual custodian accounts as the ultimate trust anchor. Those accounts remain vulnerable to credential hijacking, no matter how many layers are added downstream.
“AI detects risky packages, audits legacy authentication, and accelerates SOC response,” Baer said. “But humans still control the escort credentials. We reduce the risk. We don’t eliminate it.”
Mandatory provenance verification, where manual CLI publishing is completely disabled, may have caught this attack before it reached the registry. Multi-party signatures will therefore be mandatory, where no one maintainer can push a release alone. Neither is implemented today. npm Indicated that disabling tokens by default when trusted publishing is enabled is on the roadmap. Until it ships, every project running OIDC with the legacy token has the same blind spot Axios has.
The Axios maintainer did what the community asked. A legacy token that no one realized was still active and it left everyone vulnerable.
<a href