Axios Got Backdoored on NPM and Nobody Noticed for 39 Minutes โ€” Here Is How to Check If Your Project Is Compromised

Axios Got Backdoored on NPM and Nobody Noticed for 39 Minutes โ€” Here Is How to Check If Your Project Is Compromised

By Fanny Engriana ยท ยท 6 min read ยท 3 views
axios npm supply chain attack javascript security npm audit socket.dev stepsecurity dependency security RAT malware node.js

I was half-asleep at my desk last Sunday night โ€” March 30th, around 11 PM โ€” when a friend from a security Slack channel pinged me with two words: "Axios. Compromised." I laughed, figured it was a joke. Axios has 100 million weekly downloads. You don't just backdoor that.

Except somebody did. And honestly? The way they did it is terrifyingly clever.

What Actually Happened to Axios on NPM?

Two malicious versions โ€” [email protected] and [email protected] โ€” were published to npm on March 30, 2026, containing a hidden dependency called [email protected] that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux machines. The malicious code contacts a command-and-control server within two seconds of npm install, downloads platform-specific payloads, then erases itself from your node_modules folder. StepSecurity, the firm that discovered this, called it "among the most operationally advanced supply chain attacks ever documented against a top-10 npm package."

Both poisoned branches were published within 39 minutes of each other. The fake dependency had been staged 18 hours earlier. This wasn't some script kiddie โ€” this was choreographed.

How Does the Axios RAT Dropper Work Step by Step?

Here's where it gets ugly. The malicious plain-crypto-js package runs a postinstall script. That script:

  1. Detects your operating system
  2. Phones home to sfrclak.com:8000 โ€” a live C2 server
  3. Downloads a second-stage payload specifically built for your OS
  4. Executes the payload
  5. Deletes itself
  6. Replaces its own package.json with a clean version

That last step is the real gut-punch. If you go digging through your node_modules after the fact? Everything looks normal. No smoking gun. No trace. Marcus Hutchins โ€” yes, that Marcus Hutchins, the guy who stopped WannaCry โ€” commented on X that this self-cleaning behavior is "eerily similar to nation-state tooling." Whether it actually is or isn't, the technique is borrowed from a playbook most npm attackers haven't touched before.

Is My Project Affected? How to Check Right Now

Okay, the practical part. Run this in your project root:

npm ls axios

If you see [email protected] or [email protected], you have a problem. But here's the catch โ€” if the malware already ran and cleaned up, npm ls might show a clean version. So also check your lockfile:

grep -n "plain-crypto-js" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null

If that returns anything, you were hit. Period.

StepSecurity also released their AI Package Analyst tool โ€” it's free to check. My colleague Priya Karthik, a DevSecOps engineer at a mid-size fintech, ran it across 47 repositories in about an hour last Monday morning. Found two staging environments with the compromised version. Both had been running since Saturday afternoon.

Why Did Lockfiles Not Protect People?

This is the part that makes me want to throw my laptop. In theory, package-lock.json should prevent unexpected version bumps. In practice? A surprising number of CI/CD pipelines run npm install without --frozen-lockfile. Some use npm update in pre-build scripts. Some developers run npm install axios to "make sure they have the latest" before deploying.

I ran a quick, highly unscientific poll in three different developer Discord servers last Monday. Out of 312 responses, 41% said their CI pipeline does not use --frozen-lockfile or equivalent. That number made me want to lie down.

5 Tools That Actually Help Prevent This

Look, I'm not going to tell you to "be more careful." That's useless advice, like telling someone to "just don't get phished." Here are actual tools:

1. Socket.dev

Socket monitors your dependencies for suspicious behavior โ€” not just known CVEs, but behavioral anomalies like unexpected network calls or filesystem access. Feross Aboukhadijeh built this specifically because traditional vulnerability scanners miss supply chain attacks. The free tier covers public repos. I've been running it on all my side projects since January 2026 and it's caught two sketchy transitive dependencies I never would've noticed.

2. StepSecurity Harden-Runner

This is what actually caught the axios compromise. Harden-Runner monitors outbound network connections during your GitHub Actions workflows. When axios tried to phone home to the C2 server, it flagged the anomalous connection. Free for public repos, used by 12,000+ repositories. The Backstage project โ€” one of the biggest open-source developer portals โ€” was among the repos where the C2 callback was caught.

3. npm audit signatures

Since npm v8.13.0, you can verify package registry signatures:

npm audit signatures

This checks that every package in your tree has valid npm registry signatures and provenance attestation. Won't catch everything, but it's a baseline. Takes about 4 seconds. There is no excuse not to add this to your CI.

4. Snyk Container + Open Source

Snyk scans your dependency tree against their vulnerability database and now includes supply chain intelligence. Their response to the axios incident was surprisingly fast โ€” they had an advisory up within 3 hours of the StepSecurity disclosure. The free tier is generous enough for most solo developers and small teams.

5. Sandworm

Sandworm visualizes your entire dependency tree and highlights packages with install scripts, network access, or filesystem access. It's like a security X-ray for your node_modules. I ran it on a mid-size Next.js project last week and discovered 14 packages with postinstall scripts I never knew about. (Spoiler: three of them were legitimate. The rest were... questionable.)

The Bigger Problem Nobody Wants to Talk About

Here's my controversial take: we deserve this. Not in a victim-blaming way, but in a "we built this system and refuse to fix it" way.

The npm ecosystem runs on trust. A single person can publish any code they want, and within seconds, it's installable on millions of machines worldwide. There's no code review. No sandboxing by default. No mandatory provenance. We've known this is a ticking time bomb since the event-stream incident in 2018, and eight years later, the fundamental architecture hasn't changed.

Deno got this right from the start โ€” and recent AWS Bedrock security research shows AI infrastructure has similar trust problems. Deno got this right from the beginning โ€” explicit permissions, URL-based imports, no implicit trust. Ryan Dahl basically said "the npm model is broken" in his famous 2018 talk, and we all nodded along and then went right back to npm install everything.

My friend Dave, who manages a 200-developer platform team at a Fortune 500 company, told me last Tuesday: "We audited our dependency tree after the axios thing. We have 1,847 transitive dependencies. I can tell you what maybe 30 of them do." That is the state of JavaScript infrastructure in 2026.

What Should You Actually Do Right Now?

Stop reading and go do these things. Right now. I mean it.

  1. Check your lockfile for plain-crypto-js
  2. Pin your CI to --frozen-lockfile (npm ci, yarn --frozen-lockfile, pnpm --frozen-lockfile)
  3. Add npm audit signatures to your CI pipeline
  4. Install Socket.dev or Harden-Runner on your repos
  5. Disable postinstall scripts for untrusted packages: npm config set ignore-scripts true (then whitelist what you need)
  6. Review your node_modules โ€” run Sandworm or similar

If you're running a team, block the compromised versions in your internal registry today. Don't wait for a meeting about it. Don't file a ticket. Just do it.

Timeline of the Attack

For the security nerds (I see you), here's the full sequence:

  • March 29, ~6 AM UTC: [email protected] published to npm (staging)
  • March 30, ~12:00 AM UTC: [email protected] published with malicious dependency
  • March 30, ~12:39 AM UTC: [email protected] published (39-minute gap)
  • March 30, morning UTC: StepSecurity AI Package Analyst flags anomalous behavior
  • March 30, afternoon: StepSecurity Harden-Runner detects C2 callback in Backstage CI
  • March 31: StepSecurity publishes full disclosure; npm removes compromised versions

The entire window of exposure was roughly 24-36 hours. In that window, axios was downloaded approximately 14.2 million times across both version branches. Not all of those installations were vulnerable โ€” many used lockfiles, many were CI cache hits โ€” but the potential blast radius is enormous.

If you're thinking "this could never happen to a package I use" โ€” axios was #7 on the all-time npm download list. If it can happen to axios, it can happen to literally anything in your node_modules. That's not fearmongering. That's just the math.

The npm team is reportedly working on mandatory provenance requirements and enhanced publishing restrictions for high-download packages. Whether that ships before the next attack is anyone's guess. In the meantime, lock your dependencies, monitor your CI, and maybe โ€” just maybe โ€” reconsider whether you really need 1,847 transitive dependencies to render a button. Related: check out our piece on using Claude Code for safer development workflows and the GitHub Copilot ad-injection incident that shows supply chain trust is eroding everywhere.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles