Axios NPM Distribution Compromised in Supply Chain Attack
Essential information
- Published
- 31/03/2026 13:56
- Modified
- 01/04/2026 13:26
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- axios credential compromise npm plain-crypto-js remote access trojan supply chain attack
- Tags
- 2026-03-31 axios credential compromise npm plain-crypto-js remote access trojan supply chain attack
- Related entities
- 7 indicators, 7 observables, 15 techniques (mitre), 1 others
Description
An unknown threat actor compromised the npm account of an axios maintainer, publishing two malicious versions of the package. These versions introduced a dependency on plain-crypto-js, a newly created malicious package. Despite quick removal, axios's widespread usage led to rapid exposure. The malicious package includes a dropper that downloads and executes platform-specific second-stage payloads, functioning as remote access trojans. These payloads can execute remote shells, inject binaries, browse directories, list processes, and perform system reconnaissance. Organizations are advised to audit their environments, remove malicious artifacts, rotate exposed credentials, investigate potential compromise paths, and monitor for suspicious activity.