A confirmed supply chain attack has compromised the Axios npm package, one of the most widely used HTTP client libraries in the JavaScript ecosystem. Malicious versions 1.14.1 and 0.30.4 have been published to the npm registry containing code designed to steal credentials, API keys, and sensitive data from any environment where these packages are installed.
This is not a hypothetical risk or a potential vulnerability awaiting exploitation—it is an active breach. Any organization that has downloaded or deployed these specific Axios versions must immediately initiate full incident response playbooks. The presence of these versions on your network constitutes a confirmed security incident requiring host quarantine, forensic analysis, and immediate credential rotation.
Technical Analysis
Affected Products and Versions
| Package | Platform | Malicious Versions | Status |
|---|---|---|---|
| axios | npm (JavaScript/Node.js) | 1.14.1, 0.30.4 | CONFIRMED MALICIOUS |
Attack Chain and Mechanism
This supply chain attack follows a classic but devastating pattern:
- Compromise: Attackers gained access to the Axios npm package publishing credentials
- Malicious Publication: Malicious versions (1.14.1 and 0.30.4) were uploaded to the public npm registry
- Installation: Automated build pipelines, CI/CD systems, and developers installed the compromised packages via
npm install - Execution: When Node.js applications requiring Axios execute, the malicious code initializes
- Exfiltration: The malicious payload collects environment variables, configuration files, and runtime data, transmitting stolen credentials and API keys to attacker-controlled infrastructure
- Persistence: Depending on implementation, the code may establish persistence mechanisms within the application runtime
Exploitation Status
- Confirmed Active Exploitation: YES — These malicious versions are live in the npm registry
- CISA KEV: Not yet added (check for updates)
- Public PoC: Not applicable (this is active malicious code, not an exploit demo)
Impact Severity
The impact of this breach is CRITICAL:
- Credential Theft: All environment variables,
.envfiles, and configuration data accessible to the compromised process - API Key Compromise: Cloud provider keys (AWS, Azure, GCP), third-party service credentials, and internal API tokens
- Data Exfiltration: Sensitive application data processed during runtime
- Supply Chain Propagation: Downstream consumers of affected applications may also be impacted
Detection & Response
SIGMA Rules
YAML
---
title: Malicious Axios npm Package Installation
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects installation of known malicious Axios npm versions (1.14.1 or 0.30.4) via npm or package managers
references:
- https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
author: Security Arsenal
date: 2024/12/18
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/npm'
- '/yarn'
- '/pnpm'
CommandLine|contains:
- 'axios@1.14.1'
- 'axios@0.30.4'
- 'axios"1.14.1'
- 'axios"0.30.4'
condition: selection
falsepositives:
- Legitimate testing in isolated environments (verify context)
level: critical
---
title: Node.js Process Loading Malicious Axios Module
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: experimental
description: Detects Node.js processes executing with known malicious Axios versions in node_modules path
references:
- https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
author: Security Arsenal
date: 2024/12/18
tags:
- attack.execution
- attack.t1059.007
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/node'
CommandLine|contains: 'node'
CurrentDirectory|contains: 'node_modules'
selection_malicious:
CurrentDirectory|contains:
- '/axios/1.14.1'
- '/axios/0.30.4'
condition: selection and selection_malicious
falsepositives:
- Verified legacy application environments (investigate immediately)
level: high
---
title: Suspicious Network Activity from Compromised Axios
id: c3d4e5f6-a7b8-9012-cdef-123456789012
status: experimental
description: Detects potential data exfiltration from hosts with compromised Axios npm package - monitor for outbound connections to non-standard endpoints from Node processes
references:
- https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
author: Security Arsenal
date: 2024/12/18
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: network_connection
product: linux
detection:
selection:
Image|contains: '/node'
Initiated: 'true'
DestinationPort|notin:
- 80
- 443
- 8080
- 3000
- 5000
- 8443
DestinationHostname|notcontains:
- '.amazonaws.com'
- '.azure.com'
- '.googleapis.com'
- '.github.com'
- 'registry.npmjs.org'
condition: selection
timeout: 30s
falsepositives:
- Legitimate API calls to non-standard ports
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for installations of malicious Axios npm versions
let MaliciousVersions = dynamic(["1.14.1", "0.30.4"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in~ ("npm", "yarn", "pnpm", "npx")
| where CommandLine has "axios"
| parse-kind regex CommandLine with * "axios" @"(?<version>\d+\.\d+\.\d+)" *
| where version in (MaliciousVersions)
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc
;
// Hunt for file creation events indicating malicious Axios versions
union DeviceFileEvents, DeviceImageLoadEvents
| where Timestamp > ago(7d)
| whereFolderPath has @"node_modules\axios"
| where FolderPath has "1.14.1" or FolderPath has "0.30.4"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc
;
// Hunt for suspicious network connections from Node processes potentially exfiltrating data
DeviceNetworkEvents
| where Timestamp > ago(3d)
| where InitiatingProcessFileName =~ "node"
| where RemotePort !in (80, 443, 8080, 3000, 5000, 8443)
| where RemoteUrl !contains ".amazonaws.com"
and RemoteUrl !contains ".azure.com"
and RemoteUrl !contains ".googleapis.com"
and RemoteUrl !contains "registry.npmjs.org"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteUrl, RemotePort, LocalPort, BytesSent, BytesReceived
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for malicious Axios package versions in node_modules directories
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/*/node_modules/axios/package.")
WHERE parse_(FileName=FullPath).version IN ("1.14.1", "0.30.4")
;
-- Hunt for Node.js processes that may have loaded malicious Axios
SELECT Pid, Name, Exe, CommandLine, Cwd, Username
FROM pslist()
WHERE Name =~ "node"
AND Cwd =~ "node_modules"
AND (Cwd =~ "axios/1.14.1" OR Cwd =~ "axios/0.30.4")
;
-- Identify all node_modules directories containing Axios for targeted analysis
SELECT FullPath, Mode
FROM glob(globs="/*/node_modules/axios/")
;
-- Check for recent npm install logs that may indicate malicious package installation
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/.npm/_logs/*")
WHERE Mtime > now() - 7 * 86400
AND FullPath =~ "axios"
Remediation Script (Bash)
Bash / Shell
#!/bin/bash
# Security Arsenal - Axios Supply Chain Incident Response Script
# This script scans for and remediates malicious Axios npm versions
MALICIOUS_VERSIONS=("1.14.1" "0.30.4")
SCAN_DIR="${1:-/}"
LOG_FILE="/var/log/axios_ir_$(date +%Y%m%d_%H%M%S).log"
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
log "Starting Axios npm supply chain incident response scan"
log "Scan directory: $SCAN_DIR"
log "Checking for malicious versions: ${MALICIOUS_VERSIONS[*]}"
declare -a FOUND_PATHS
# Scan for package. files in axios directories
log "Scanning for package. files in axios node_modules..."
while IFS= read -r -d '' pkg_file; do
if [ -f "$pkg_file" ]; then
version=$(grep -oP '"version"\s*:\s*"\K[^"]+' "$pkg_file" 2>/dev/null)
if [[ " ${MALICIOUS_VERSIONS[@]} " =~ " ${version} " ]]; then
FOUND_PATHS+=("$(dirname "$pkg_file")")
log "[CRITICAL] Found malicious Axios version ${version} at: $(dirname "$pkg_file")"
fi
fi
done < <(find "$SCAN_DIR" -path "*/node_modules/axios/package." -print0 2>/dev/null)
if [ ${#FOUND_PATHS[@]} -eq 0 ]; then
log "No malicious Axios versions found"
exit 0
fi
log "Total malicious instances found: ${#FOUND_PATHS[@]}"
log ""
log "[ACTION REQUIRED] IMMEDIATE INCIDENT RESPONSE STEPS:"
log "1. QUARANTINE hosts containing these paths immediately"
log "2. Initiate forensic collection on affected hosts"
log "3. Rotate ALL credentials and API keys exposed on these systems"
log "4. Remove malicious package versions and install verified safe versions"
# Optional: Automatic removal (uncomment with CAUTION - may break applications)
# log ""
# log "Attempting automatic removal of malicious package directories..."
# for path in "${FOUND_PATHS[@]}"; do
# log "Removing: $path"
# rm -rf "$path"
# done
# log ""
# log "Reinstalling Axios with safe version..."
# npm install axios@latest --force 2>/dev/null || log "Failed to reinstall - manual intervention required"
log ""
log "Scan complete. Full log saved to: $LOG_FILE"
log ""
log "Contact Security Arsenal IR Team if immediate assistance is needed"
exit ${#FOUND_PATHS[@]}
Remediation
Immediate Actions (Within 1 Hour of Detection)
-
Host Quarantine
- Isolate all hosts identified as running malicious Axios versions from the network
- Preserve volatile memory (RAM) for forensic analysis before shutdown
- Do NOT restart affected systems before acquiring forensic images
-
Credential Rotation (CRITICAL)
- Assume ALL credentials accessible to affected applications are compromised
- Rotate: AWS/Azure/GCP API keys, database credentials, third-party service tokens, internal API keys
- Revoke and reissue OAuth tokens, JWT signing keys, and SSH keys used by compromised services
-
Containment
- Block outbound network connections from affected hosts (except to IR infrastructure)
- Suspend CI/CD pipelines that may distribute the malicious package
Technical Remediation
- Identify and Remove Malicious Packages
bash
Check current Axios version in all projects
Bash / Shell
npm list axios
Remove malicious versions globally
Bash / Shell
npm uninstall -g axios
Remove from project directories
rm -rf node_modules/axios
-
Install Verified Safe Versions
- Axios versions BEFORE the malicious releases were safe, but verify against npm advisory
- Install a known safe version:
npm install axios@latest(verify the latest version is not compromised) - Pin versions in package. and package-lock.
-
Verify npm Registry Integrity bash
Check npm audit for Axios vulnerabilities
Bash / Shell
npm audit axios
Verify package checksums if available
Bash / Shell
npm view axios dist.integrity
- Update npm Configuration for Enhanced Security
bash
Enable package signature verification where supported
Bash / Shell
npm config set audit true
npm config set fund false
Investigation and Forensics
-
Determine Scope of Exposure
- Identify all applications using the affected Axios versions
- Map data flows and third-party integrations for each application
- Review logs for signs of data exfiltration during the compromise window
-
Timeline Reconstruction
- Determine when malicious packages were first installed
- Correlate with access logs to identify potential data exposure
- Review git history for commits that introduced malicious dependencies
-
Threat Hunting
- Hunt for attacker tools or secondary implants
- Check for persistence mechanisms beyond the compromised npm package
- Analyze network traffic for data exfiltration indicators
Long-Term Security Hardening
-
Software Supply Chain Controls
- Implement npm package lockfile verification in CI/CD pipelines
- Use dependency pinning (exact version numbers) for production builds
- Implement Software Bill of Materials (SBOM) generation and analysis
- Use private npm registries with package vetting processes
-
Dependency Monitoring
- Subscribe to npm security advisories for all production dependencies
- Implement automated dependency scanning tools (Snyk, OWASP Dependency-Check, npm audit)
- Establish approval workflows for dependency updates
-
Secrets Management
- Never store credentials in environment variables or configuration files
- Implement proper secrets management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault)
- Use short-lived credentials with automatic rotation
- Implement least privilege access for all application credentials
Vendor Resources
- Tenable Advisory: https://www.tenable.com/blog/supply-chain-attack-on-axios-npm-package-scope-impact-and-remediations
- npm Security Advisories: https://www.npmjs.com/advisories
- GitHub Advisory Database: https://github.com/advisories
CISA Deadlines
If this vulnerability is added to the CISA Known Exploited Vulnerabilities (KEV) Catalog:
- Federal Agencies: Remediate within the deadline specified in the KEV entry (typically 3-21 days)
- Critical Infrastructure: Align remediation timelines with KEV guidance where applicable
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
incident-responseransomwarebreach-responseforensicsdfirsupply-chainaxiosnpm
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.