Axios npm Supply Chain Attack: Detection and Removal of Cross-Platform RAT (v1.14.1 & v0.30.4)

Introduction

The Axios npm package, a ubiquitous HTTP client used by millions of JavaScript developers, has been weaponized in a sophisticated supply chain attack. Threat actors compromised the maintainer's account to publish two malicious versions—1.14.1 and 0.30.4—which inject a malicious dependency, plain-crypto-js version 4.2.1.

This is not a dependency confusion attack; it is a direct compromise of a trusted project. The injected payload delivers a cross-platform Remote Access Trojan (RAT) capable of establishing persistence on Windows, macOS, and Linux systems. For defenders, this represents a critical failure in the software supply chain. If your organization utilizes Node.js, you must assume that a standard npm install during the window of availability may have resulted in a perimeter breach and C2 beaconing.

Technical Analysis

• Affected Products: Axios npm package.
• Affected Versions: 1.14.1 and 0.30.4.
• Platforms: Cross-platform (Windows, macOS, Linux).
• Threat Vector: Compromised publisher account injecting a malicious dependency (plain-crypto-js).
• Payload: Cross-platform RAT.

Attack Mechanics

The attack vector is the poisoning of the package. definition within the compromised Axios releases. When a developer or CI/CD pipeline executes npm install, the package manager resolves dependencies and inadvertently downloads plain-crypto-js v4.2.1.

1. Installation: The victim installs the malicious Axios version.
2. Execution: The postinstall script (or runtime execution) within plain-crypto-js triggers.
3. Payload Drop: A cross-platform binary or script is executed, initiating a reverse shell or C2 connection.
4. Persistence: The RAT ensures survival across reboots, providing attackers with full remote access to the build environment or the application server.

Exploitation Status

• Status: Confirmed active exploitation in the wild. The packages were published and available for download before being flagged by StepSecurity.
• CVSS Score: Estimates place this in the Critical (9.0+) range due to network connectivity, high impact on confidentiality/integrity/availability, and low attack complexity.

Detection & Response

Sigma Rules

The following Sigma rules detect the installation of the specific malicious package versions and the subsequent suspicious process execution of the injected dependency.

---
title: Axios Malicious Version Installation
id: 123e4567-e89b-12d3-a456-426614174000
status: experimental
description: Detects the installation of the compromised Axios versions (1.14.1 or 0.30.4) which introduces a malicious dependency.
references:
  - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\npm.exe'
    CommandLine|contains:
      - 'axios@1.14.1'
      - 'axios@0.30.4'
  condition: selection
falsepositives:
  - Legitimate testing by developers verifying these specific versions (unlikely)
level: critical
---
title: Execution of Malicious plain-crypto-js Dependency
id: 223e4567-e89b-12d3-a456-426614174001
status: experimental
description: Detects the execution of the malicious 'plain-crypto-js' package or files originating from its node_modules directory.
references:
  - https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\node.exe'
    CommandLine|contains:
      - 'plain-crypto-js'
  condition: selection
falsepositives:
  - Legitimate use of a package named 'plain-crypto-js' (highly suspicious, treat as malicious unless verified)
level: high

KQL (Microsoft Sentinel / Defender)

Use this KQL query to hunt for process execution events related to the installation of the malicious Axios package or the invocation of the malicious dependency.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "axios@1.14.1" or ProcessCommandLine contains "axios@0.30.4")
    or (ProcessCommandLine contains "plain-crypto-js")
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for the presence of the malicious plain-crypto-js package in the node_modules directory on Linux and macOS endpoints.

-- Hunt for malicious plain-crypto-js package in node_modules
SELECT FullPath, Size, Mtime
FROM glob(globs='/**/node_modules/plain-crypto-js/**')
WHERE NOT FullPath =~ 'cache' 
LIMIT 1000

Remediation Script (Bash)

This script scans the current directory (recursively) for package-lock. files containing the malicious Axios versions or the dependency and removes the malicious node_modules directory.

#!/bin/bash

echo "[+] Initiating Axios Supply Chain Remediation Scan..."

# Define malicious versions
MALICIOUS_VERSIONS=("axios\"\":\"\"1.14.1" "axios\"\":\"\"0.30.4" "plain-crypto-js")

# Find all package-lock. files
find . -type f -name "package-lock." | while read -r lockfile; do
    echo "[+] Scanning: $lockfile"
    
    for pattern in "${MALICIOUS_VERSIONS[@]}"; do
        if grep -q "$pattern" "$lockfile"; then
            echo "[!!!] MALICIOUS DEPENDENCY FOUND in $lockfile matching pattern: $pattern"
            
            # Identify the directory of the lockfile
            DIR=$(dirname "$lockfile")
            
            # Remove node_modules directory
            if [ -d "$DIR/node_modules" ]; then
                echo "[-] Removing node_modules directory: $DIR/node_modules"
                rm -rf "$DIR/node_modules"
            fi
            
            # Remove package-lock. to force clean install
            echo "[-] Removing package-lock.: $lockfile"
            rm -f "$lockfile"
            echo "[!!!] Remediation action taken for $DIR. Please reinstall dependencies with safe versions."
            break
        fi
    done
done

echo "[+] Scan complete."

Remediation

1. Identify and Replace:

   • Immediately audit all package. and package-lock. files in your environment.
   • Ensure you are not using Axios 1.14.1 or 0.30.4.
   • Update to the latest stable version of Axios (e.g., 1.6.0 or newer) or the last known safe version prior to the compromise.

2. Sanitize Environments:

   • If the malicious versions were installed, delete the node_modules folder and package-lock. file.
   • Run npm install again to pull clean dependencies from the registry.

3. Credential Rotation:

   • Assume that any build agent or developer machine that installed these packages has been compromised.
   • Rotate all API keys, secrets, and credentials stored in environment variables or CI/CD pipelines accessible to that host.

4. Blocking:

   • Block the specific package plain-crypto-js in your internal Artifact registries (e.g., Artifactory, Nexus) and npm enterprise.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub