Axios npm Supply Chain Compromise: Detection & Remediation for Versions 1.14.1 and 0.30.4

On March 31, 2026, the JavaScript ecosystem faced a critical supply chain assault. The Cybersecurity and Infrastructure Security Agency (CISA) released an alert regarding the compromise of the widely used axios Node Package Manager (npm) library. This is not a theoretical risk; active versions of the package were modified to include a malicious dependency that drops a Remote Access Trojan (RAT). Given Axios' prevalence in Node.js and browser environments, this poses an immediate threat to developer workstations, CI/CD pipelines, and production environments relying on these specific versions. Defenders must immediately audit their dependencies to prevent potential persistent access or data exfiltration.

Technical Analysis

Affected Products and Versions:

• Package: axios
• Malicious Versions: 1.14.1 and 0.30.4
• Platform: Node.js (all operating systems), Browser environments
• Injected Dependency: plain-crypto-js@4.2.1

Attack Chain: The threat actors succeeded in publishing compromised versions of the Axios library. When a developer or automated build system installs the malicious versions (axios@1.14.1 or axios@0.30.4), the package manager resolves the dependency tree. The compromised package. within these Axios versions explicitly requests the malicious library plain-crypto-js version 4.2.1.

1. Installation: User executes npm install axios@1.14.1 (or 0.30.4).
2. Dependency Injection: NPM downloads plain-crypto-js@4.2.1 into node_modules.
3. Execution: Upon execution, plain-crypto-js reaches out to threat actor-controlled infrastructure.
4. Payload Delivery: It downloads multi-stage malicious code,最终 installing a Remote Access Trojan (RAT) on the host.

Exploitation Status: CISA has confirmed active exploitation and the availability of malicious packages in the public registry. This is a confirmed, active supply chain compromise.

Detection & Response

The following detection mechanisms focus on identifying the installation of the specific malicious package versions and the presence of the injected dependency on endpoints and build servers.

---
title: Axios Malicious Package Installation via NPM
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the installation of compromised Axios npm versions (1.14.1 or 0.30.4) which inject the plain-crypto-js dependency.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/npm'
    CommandLine|contains:
      - 'axios@1.14.1'
      - 'axios@0.30.4'
  condition: selection
falsepositives:
  - Legitimate installation of these specific versions for testing purposes (highly discouraged during active incident)
level: critical
---
title: Suspicious NPM Process Loading Malicious Dependency
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Node.js processes executing or loading the known malicious dependency plain-crypto-js associated with the Axios compromise.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/20/supply-chain-compromise-impacts-axios-node-package-manager
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.execution
  - attack.t1203
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/node'
    CommandLine|contains: 'plain-crypto-js'
  condition: selection
falsepositives:
  - Unknown
level: high


**KQL (Microsoft Sentinel / Defender):**

Hunt for installations of the specific malicious package versions or the presence of the malicious dependency name in process execution logs.

DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName in~ ("npm.cmd", "npm", "node.exe", "node")
| where CommandLine has_any ("axios@1.14.1", "axios@0.30.4", "plain-crypto-js")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc


**Velociraptor VQL:**

Hunt endpoints for the presence of the plain-crypto-js directory within node_modules directories, indicating the malicious dependency was installed.

SELECT FullPath, Mtime, Size
FROM glob(globs='/*/node_modules/plain-crypto-js/**')
WHERE Mtime > timestamp("2026-03-30")


**Remediation Script (Bash):**

This script scans the current directory and subdirectories for package-lock. files to identify if the malicious Axios versions are locked. It removes the malicious dependency directory if found.

#!/bin/bash

# Remediation script for Axios Supply Chain Compromise
# Checks package-lock. for malicious versions and removes plain-crypto-js

echo "Scanning for Axios npm supply chain compromise..."

# Find all package-lock. files in the current directory tree
find . -name "package-lock." -type f | while read -r lockfile; do
    # Check for the specific malicious Axios versions
    if grep -q '"axios".*"1.14.1"' "$lockfile" || grep -q '"axios".*"0.30.4"' "$lockfile"; then
        echo "[!] POTENTIAL COMPROMISE DETECTED in: $lockfile"
        echo "    Malicious Axios version found in lockfile."
        
        # Determine the directory of the package
        dir=$(dirname "$lockfile")
        
        # Check if node_modules/plain-crypto-js exists and remove it
        if [ -d "$dir/node_modules/plain-crypto-js" ]; then
            echo "    Removing malicious dependency: $dir/node_modules/plain-crypto-js"
            rm -rf "$dir/node_modules/plain-crypto-js"
        fi
        
        echo "    ACTION REQUIRED: Delete node_modules and package-lock., then reinstall from trusted source."
    fi
done

echo "Scan complete."

Remediation

Organizations must take immediate action to evict the threat actor from their environments.

1. Audit and Identification: Immediately scan all package-lock., yarn.lock, and pnpm-lock.yaml files in source repositories and developer workstations. Search for references to axios@1.14.1 or axios@0.30.4.

2. Removal and Reinstallation: If a compromised version is found:

• Delete the node_modules directory.
• Delete the lock file (package-lock. or equivalent).
• Update the package. to pin a known safe version of Axios (e.g., the latest version, ensuring it is not the compromised range).
• Re-run the install command (npm install or npm ci).

3. Developer and CI/CD Hygiene: Force a rebuild of all artifacts and containers that may have been created using these compromised versions since March 31, 2026. Rotate any credentials or secrets stored in environment variables accessible to the compromised build agents or developer workstations, as the RAT implies potential credential theft.

4. Official Guidance: Refer to the official CISA alert for updated indicators of compromise (IOCs) and vendor statements.

• CISA Alert: Supply Chain Compromise Impacts Axios Node Package Manager

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub