Massive Supply Chain Attack: Compromised Axios Package Deploys Cross-Platform Malware
In a significant cybersecurity incident on March 30, 2026, attackers compromised the widely-used JavaScript library Axios, deploying malware across Windows, macOS, and Linux systems. With over 100 million weekly downloads, Axios’s breach marks one of the most extensive supply chain attacks to date.
Attack Overview
The breach began when unauthorized individuals gained control of the npm account of Jason Saayman, Axios’s lead maintainer. The attackers changed the account’s email to a ProtonMail address under their control, granting them full administrative access. Using a stolen npm access token, they published two malicious versions—[email protected] and [email protected]—within 39 minutes, affecting both current and legacy release branches. Notably, these versions lacked corresponding commits, tags, or releases in Axios’s official GitHub repository.
Malicious Dependency and Payload Delivery
Both compromised versions introduced a new dependency: [email protected]. This phantom dependency wasn’t referenced in Axios’s source code but exploited npm’s postinstall hook to execute a cross-platform remote access trojan (RAT) upon installation. The malware then deleted its dropper script and replaced it with a clean decoy, making detection challenging.
Attack Execution and Evasion Techniques
The attackers meticulously planned the operation over approximately 18 hours. They first published a benign version of plain-crypto-js to establish registry history, then registered the command-and-control server before deploying the malicious payload. By manually publishing with a stolen token, they circumvented GitHub Actions’ OIDC Trusted Publisher safeguards, leaving no cryptographic binding or gitHead reference in the metadata.
Technical Analysis of the RAT Dropper
The dropper script, setup.js, employed a two-layer obfuscation system to evade detection. The inner layer used a custom XOR cipher with the key OrDeR_7077 and a quadratic index pattern to obfuscate character-access sequences. The outer layer reversed encoded strings, restored base64 padding, and passed the result through the inner cipher. Dynamic require() calls decoded module names at runtime, making them invisible to static analysis tools.
Impact and Response
Trend Micro researchers Peter Girnus and Jacob Santos conducted a forensic examination, revealing that the threat had already reached organizations across various sectors, including government, finance, healthcare, manufacturing, retail, and technology. Telemetry confirmed active exploitation during the attack window.
Mitigation Measures
Developers and organizations using Axios are urged to:
– Audit their projects for the compromised versions ([email protected] and [email protected]).
– Revert to known safe releases, such as [email protected].
– Rotate any potentially exposed credentials.
– Implement stricter access controls and monitoring for npm accounts.
This incident underscores the critical importance of securing the software supply chain and the need for vigilant monitoring of third-party dependencies.
