Malicious axios versions published to npm: Chainguard customers protected

At 5:21 p.m. PT and then again at 6:00 p.m. PT on March 30, 2026, two malicious versions of axios — the JavaScript HTTP client with more than 300 million monthly downloads on npm — were published to the npm registry. The packages axios@1.14.1 and axios@0.30.4 carry a hidden, malicious dependency published at 4:59 p.m. PT named plain-crypto-js@4.2.1 that drops a cross-platform remote access trojan (RAT) on affected systems. This dependency is a typosquat on the well-used library named crypto-js.

While this attack is not currently attributed to the ongoing TeamPCP attacks that hit Trivy, Checkmarx KICS, litellm, and telnyx over the last two weeks, it serves as yet another alarm for how vulnerable and impactful open source supply chain attacks can be.

If you are a Chainguard Container or Libraries customer, you are protected against this attack because we specifically block the kinds of exploitative techniques used by the attacker that compromised axios. If you are not yet a Chainguard customer, sign up for free today.

What happened

Let’s start with what happened. First, an attacker compromised the credentials of an axios maintainer. Then, the attacker changed the account’s registered email to ifstap@proton.me. Two malicious versions were published shortly after axios@1.14.1 at 5:21 p.m. PT targeting the 1.x branch, and axios@0.30.4 at 6:00 p.m. PT targeting the legacy 0.x branch.

The axios source itself was not tampered with. Instead, the attacker used the maintainer's compromised credentials to publish new versions to npm that introduced a hidden runtime dependency named plain-crypto-js@4.2.1 that they had published 22 minutes earlier that contained a RAT payload that targets macOS, Windows, and Linux. Upon execution of its post-install script, it contacts the command-and-control server and delivers a second-stage payload to the file system indicators. After delivery, the dropper self-deletes. Any system that installed plain-crypto-js — whether directly or as a transitive dependency of axios@1.14.1 or axios@0.30.4 — should be treated as potentially compromised.

Indicators of compromise

For teams not using Chainguard and currently auditing and triaging their environments, here is the relevant technical detail on plain-crypto-js@4.2.1:

Malicious npm packages

• axios@1.14.1

• axios@0.30.4

• plain-crypto-js@4.2.1

Network indicators

• C2 domain: sfrclak[.]com

• C2 IP: 142.11.206.73 (Hostwinds)

• C2 URL: http://sfrclak[.]com:8000/6202033

File system indicators

• macOS: /Library/Caches/com.apple.act.mond

• Windows: %PROGRAMDATA%\wt.exe

• Linux: /tmp/ld.py

What to do

1. Audit your installed versions: Check node_modules and lock files for axios@1.14.1 or axios@0.30.4. Also check for plain-crypto-js at any version.

2. Downgrade to secure versions: axios@1.14.0 (1.x) and axios@0.30.3 (0.x) are safe. Update package.json and regenerate your lock file.

3. Treat affected systems as compromised: If either malicious version was installed, audit for the above artifacts and investigate outbound connections to sfrclak[.]com.

4. Rotate your credentials: If you find that you were exposed, cycle all GitHub, CSP, crypto, npm, and other secret keys.

Chainguard customers unaffected

Chainguard Containers and Libraries customers are protected from this attack.

For Containers customers, any image that uses axios is pulling a safe version of the package.

For Libraries customers, Chainguard did not build plain-crypto-js@4.2.1 because we never build or serve packages with post-install scripts. This is a longstanding defensive step we take because install-time script execution is a well-understood malware injection vector. From 5:34 p.m. PT to 8:17 p.m. PT, axios@1.14.1 was available for download but without the ability to pull in the malicious dependency. Chainguard Libraries for JavaScript currently has 83 safe versions of axios available for download.

Takeaways, and what’s next

This attack continues the software supply chain security theme of the month: your company’s security is only as strong as your weakest open source dependency.

Attackers are taking advantage. Look no further than this post from the organization behind many of the recent attacks, TeamPCP, on X:

And they’re unfortunately right, for now. Four significant supply chain attacks in under two weeks — Trivy, LiteLLM, telnyx, and now axios — demonstrate the same fundamental exploit: everyone’s de facto trust of open source. When registries serve whatever a maintainer account publishes, and then enterprise build pipelines consume it without question, it leads to impacted systems, lost developer productivity, disrupted product roadmaps, a massive blast radius, and vulnerable customers.

The attackers are counting on all of us to continue unquestioningly trusting our open source once the news cycle ends. When everyone trusts open source without verification, it makes it easier for future attacks to gain entry. TeamPCP boasted that launching attacks is easy and cheap — they’ve spent less than $150 so far. The math is always favorable to the attacker for as long as the ecosystem treats registry artifacts as verified truth.

While scanners helped identify the attack and sparked a night of triage, they unfortunately don’t solve the problem at its root. In order to eliminate this supply chain risk from your environment, you need verification that your open source artifacts match their source code bit-for-bit. You need preventative controls that eliminate malware by design.

Stay protected

In response to this month's supply chain attacks, Chainguard is offering a free 3-month trial of Chainguard Libraries and Actions. You can sign up to start your free trial here.