Attackers stole a long-lived npm entry token belonging to the lead maintainer of axios, the most well-liked HTTP consumer library in JavaScript, and used it to publish two poisoned variations that set up a cross-platform distant entry trojan. The malicious releases goal macOS, Home windows, and Linux. They had been stay on the npm registry for roughly three hours earlier than removing.
Axios will get greater than 100 million downloads per week. Wiz stories it sits in roughly 80% of cloud and code environments, touching every thing from React front-ends to CI/CD pipelines to serverless features. Huntress detected the primary infections 89 seconds after the malicious bundle went stay and confirmed at the very least 135 compromised programs amongst its clients in the course of the publicity window.
That is the third main npm provide chain compromise in seven months. Each one exploited maintainer credentials. This time, the goal had adopted each protection the safety group advisable.
One credential, two branches, 39 minutes
The attacker took over the npm account of @jasonsaayman, a lead axios maintainer, modified the account e-mail to an nameless ProtonMail deal with, and printed the poisoned packages by npm’s command-line interface. That bypassed the undertaking’s GitHub Actions CI/CD pipeline solely.
The attacker by no means touched the Axios supply code. As an alternative, each launch branches acquired a single new dependency: plain-crypto-js@4.2.1. No a part of the codebase imports it. The bundle exists solely to run a postinstall script that drops a cross-platform RAT onto the developer's machine.
The staging was exact. Eighteen hours earlier than the axios releases, the attacker printed a clear model of plain-crypto-js beneath a separate npm account to construct publishing historical past and dodge new-package scanner alerts. Then got here the weaponized 4.2.1. Each launch branches hit inside 39 minutes. Three platform-specific payloads had been pre-built. The malware erases itself after execution and swaps in a clear bundle.json to frustrate forensic inspection.
StepSecurity, which recognized the compromise alongside Socket, known as it among the many most operationally refined provide chain assaults ever documented in opposition to a top-10 npm bundle.
The protection that existed on paper
Axios did the proper issues. Official 1.x releases shipped by GitHub Actions utilizing npm's OIDC Trusted Writer mechanism, which cryptographically ties each publish to a verified CI/CD workflow. The undertaking carried SLSA provenance attestations. By each trendy measure, the safety stack appeared strong.
None of it mattered. Huntress dug into the publish workflow and located the hole. The undertaking nonetheless handed NPM_TOKEN as an atmosphere variable proper alongside the OIDC credentials. When each are current, npm defaults to the token. The long-lived traditional token was the actual authentication technique for each publish, no matter how OIDC was configured. The attacker by no means needed to defeat OIDC. They walked round it. A legacy token sat there as a parallel auth path, and npm's personal hierarchy silently most popular it.
“From my expertise at AWS, it’s quite common for previous auth mechanisms to linger,” stated Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, in an unique interview with VentureBeat. “Fashionable controls get deployed, but when legacy tokens or keys aren’t retired, the system quietly favors them. Similar to we noticed with SolarWinds, the place legacy scripts bypassed newer monitoring.”
The maintainer posted on GitHub after discovering the compromise: “I’m attempting to get help to know how this even occurred. I’ve 2FA / MFA on virtually every thing I work together with.”
Endor Labs documented the forensic distinction. Official axios@1.14.0 confirmed OIDC provenance, a trusted writer document, and a gitHead linking to a particular commit. Malicious axios@1.14.1 had none. Any device checking provenance would have flagged the hole immediately. However provenance verification is opt-in. No registry gate rejected the bundle.
Three assaults, seven months, identical root trigger
Three npm provide chain compromises in seven months. Each one began with a stolen maintainer credential.
The Shai-Hulud worm hit in September 2025. A single phished maintainer account gave attackers a foothold that self-replicated throughout greater than 500 packages, harvesting npm tokens, cloud credentials, and GitHub secrets and techniques because it unfold. CISA issued an advisory. GitHub overhauled npm’s total authentication mannequin in response.
Then in January 2026, Koi Safety’s PackageGate analysis dropped six zero-day vulnerabilities throughout npm, pnpm, vlt, and Bun that punched by the very defenses the ecosystem adopted after Shai-Hulud. Lockfile integrity and script-blocking each failed beneath particular situations. Three of the 4 bundle managers patched inside weeks. npm closed the report.
Now axios. A stolen long-lived token printed a RAT by each launch branches regardless of OIDC, SLSA, and each post-Shai-Hulud hardening measure in place.
npm shipped actual reforms after Shai-Hulud. Creation of latest traditional tokens acquired deprecated, although pre-existing ones survived till a tough revocation deadline. FIDO 2FA turned necessary, granular entry tokens had been capped at seven days for publishing, and trusted publishing by way of OIDC gave tasks a cryptographic different to saved credentials. Taken collectively, these adjustments hardened every thing downstream of the maintainer account. What they didn’t change was the account itself. The credential remained the one level of failure.
“Credential compromise is the recurring theme throughout npm breaches,” Baer stated. “This isn’t only a weak password drawback. It’s structural. With out ephemeral credentials, enforced MFA, or remoted construct and signing environments, maintainer entry stays the weak hyperlink.”
What npm shipped vs. what this assault walked previous
What SOC leaders want |
| vs. axios assault | The hole |
Block stolen tokens from publishing | FIDO 2FA required. Granular tokens, 7-day expiry. Basic tokens deprecated | Bypassed. Legacy token coexisted alongside OIDC. | No enforcement removes legacy tokens when OIDC is configured |
Confirm bundle provenance | OIDC Trusted Publishing by way of GitHub Actions. SLSA attestations | Bypassed. Malicious variations had no provenance. Printed by way of CLI | No gate rejects packages lacking provenance from tasks that beforehand had it |
Catch malware earlier than set up | Socket, Snyk, Aikido automated scanning | Partial. Socket flagged in 6 min. First infections hit at 89 seconds | Detection-to-removal hole. Scanners catch it, registry removing takes hours |
Block postinstall execution | –ignore-scripts advisable in CI/CD | Not enforced. | postinstall stays major malware vector in each main |
Lock dependency variations | Lockfile enforcement by way of | Efficient provided that lockfile dedicated earlier than compromise. Caret ranges auto-resolved | Caret ranges are |
What to do now at your enterprise
SOC leaders whose organizations run Node.js ought to deal with this as an energetic incident till they affirm clear programs. The three-hour publicity window fell throughout peak growth hours throughout Asia-Pacific time zones, and any CI/CD pipeline that ran npm set up in a single day may have pulled the compromised model robotically.
“The primary precedence is influence evaluation: which builds and downstream shoppers ingested the compromised bundle?” Baer stated. “Then containment, patching, and at last, clear reporting to management. What occurred, what’s uncovered, and what controls will stop a repeat. Classes from log4j and event-stream present velocity and readability matter as a lot because the repair itself.”
Test publicity. Search lockfiles and CI logs for
axios@1.14.1,axios@0.30.4, orplain-crypto-js. Pin toaxios@1.14.0oraxios@0.30.3.Assume compromise if hit. Rebuild affected machines from a known-good state. Rotate each accessible credential: npm tokens, AWS keys, SSH keys, cloud credentials, CI/CD secrets and techniques, .env values.
Block the C2. Add sfrclak.com and 142.11.206.73 to DNS blocklists and firewall guidelines.
Test for RAT artifacts.
/Library/Caches/com.apple.act.mondon macOS.%PROGRAMDATApercentwt.exeon Home windows./tmp/ld.py on Linux. If discovered, preform a full rebuild.Harden going ahead. Implement
npm ci --ignore-scriptsin CI/CD. Require lockfile-only installs. Reject packages lacking provenance from tasks that beforehand had it. Audit whether or not legacy tokens coexist with OIDC in your personal publishing workflows.
The credential hole no person closed
Three assaults in seven months. Every completely different in execution, similar in root trigger. npm’s safety mannequin nonetheless treats particular person maintainer accounts as the final word belief anchor. These accounts stay weak to credential hijacking, irrespective of what number of layers get added downstream.
“AI spots dangerous packages, audits legacy auth, and speeds SOC response,” Baer stated. “However people nonetheless management maintainer credentials. We mitigate threat. We don’t remove it.”
Obligatory provenance attestation, the place handbook CLI publishing is disabled solely, would have caught this assault earlier than it reached the registry. So would necessary multi-party signing, the place no single maintainer can push a launch alone. Neither is enforced right this moment. npm has signaled that disabling tokens by default when trusted publishing is enabled is on the roadmap. Till it ships, each undertaking operating OIDC alongside a legacy token has the identical blind spot axios had.
The axios maintainer did what the group requested. A legacy token no person realized was nonetheless energetic and undermined all of it.
