SecureIT logo
Main post image

Massive Supply Chain Attack - Axios 1.14.1 and 0.30.4



The News: What Just Happened?

Over the night of March 30 to 31, 2026, a sophisticated cyberattack struck one of the most widely used software tools on the internet, a JavaScript library called Axios.

If that name means nothing to you, that is perfectly fine. Here is a simple way to think about it: almost every modern web application or mobile app needs to send and receive data from the internet. Axios is the digital plumbing that makes that happen quietly in the background. It is not a product you would ever see or interact with directly, but it is working behind the scenes in a significant portion of the apps your business relies on every day. To give you a sense of its scale, Axios receives over 100 million downloads per week and nearly 175,000 software projects list it as a dependency. It is, by any measure, foundational digital infrastructure.

Here is what happened: attackers compromised the npm account belonging to the primary Axios maintainer. Using that access, they published two malicious versions of Axios, numbered 1.14.1 and 0.30.4, each containing a hidden dependency called plain-crypto-js whose sole purpose was to install a Remote Access Trojan, or RAT, on any machine that downloaded those versions.

A RAT is essentially a hidden back door. Once it is on a system, an attacker can see and control that system remotely, steal passwords, harvest sensitive credentials, and move deeper into a company's infrastructure, all without the victim knowing anything is wrong.

Activity related to this threat was first detected at approximately 00:45 UTC on March 31, with widespread impact by 01:00 UTC. The attack was also carefully pre-planned: the malicious dependency was seeded on npm approximately 18 hours before the poisoned Axios releases, specifically to avoid triggering "brand-new package" alarms from security scanners. This was not a clumsy, opportunistic hack. It was a precision operation.

Are You Affected?

If you have an internal development team or use software vendors who build or maintain applications on your behalf, the honest answer is: it is worth checking.

Technically, the way to confirm exposure is to look for the specific compromised versions (axios 1.14.1 or 0.30.4) or the presence of the plain-crypto-js package in your software environment. If you have a development team, ask them to run the following checks.

Check your lock files directly (these commands work in any terminal on macOS or Linux, and in PowerShell or Git Bash on Windows):

tsx
# Search package-lock.json for the compromised axios versions
grep -E '"axios"' package-lock.json | grep -E '1\.14\.1|0\.30\.4'

# Search for the malicious dependency by name
grep "plain-crypto-js" package-lock.json

# If you use Yarn, check yarn.lock instead
grep -E 'axios@1\.14\.1|axios@0\.30\.4' yarn.lock
grep "plain-crypto-js" yarn.lock

# If you use pnpm, check pnpm-lock.yaml
grep -E 'axios.*1\.14\.1|axios.*0\.30\.4' pnpm-lock.yaml
grep "plain-crypto-js" pnpm-lock.yaml

Any output from those commands means the compromised version was present in your dependency tree. You can also check what is currently installed in your node_modules folder at runtime:

tsx
# Check the currently installed axios version
cat node_modules/axios/package.json | grep '"version"'

# Check whether the malicious package is physically present
ls node_modules/plain-crypto-js

If that last command returns a directory rather than an error, the malicious package is on the machine. On macOS, a compromised system may contain a file at /Library/Caches/com.apple.act.mond; on Windows, look for %PROGRAMDATA%\wt.exe; and on Linux, /tmp/ld.py. If any of those are present, the system should be treated as compromised immediately and all credentials rotated.

But here is the more important message for SecureIT customers: you do not need to figure this out on your own.

Our security team has already been monitoring for exactly this kind of threat across your environments. Identifying indicators of compromise, cross-referencing threat intelligence, and acting quickly when a zero-day event like this surfaces is precisely the service we provide. If you are a SecureIT customer and your environment was touched by this incident, we are already aware and already working on it. You will hear from us directly. If you have not heard from us, that is itself meaningful information.

If you have any concerns or questions regardless, please do not hesitate to contact us at lets@secureit.is. We are here.

Understanding the Bigger Picture: What Is a Software Supply Chain Attack?

To understand why this type of attack is so serious, and so hard to defend against without professional help, it helps to think about how modern businesses are built.

Imagine your office building. You lock the doors, you have security cameras, and you vet everyone who enters. Your perimeter is well protected. But every week, supply trucks arrive with coffee, cleaning supplies, and office equipment. You trust those trucks. They come from vendors you know. You do not inspect every box.

A supply chain attack is when a criminal does not try to break down your front door. Instead, they intercept one of those trusted supply trucks and slip something dangerous inside one of the boxes before it arrives. By the time it is inside your building, it already passed every security check you had in place, because it arrived through a channel you trusted.

That is exactly what happened here. The attacker compromised the lead Axios maintainer's account, changing its registered email to an attacker-controlled address, and then published malicious builds across both the 1.x and 0.x release branches simultaneously, maximizing the number of projects exposed. Both poisoned versions appeared in the npm registry as published by the legitimate maintainer, making them indistinguishable from genuine releases at a glance.

Developers and automated systems downloaded what looked, to every outward appearance, like a routine, trusted software update. Within two seconds of installation, the malware was already communicating with the attacker's server, before the installation process had even finished.

The malicious postinstall script in plain-crypto-js drops a cross-platform RAT designed to run on macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform-specific second-stage payloads, with the capability to harvest credentials, SSH keys, cloud tokens, and other secrets from the local environment.

The cascading risk for businesses is real and significant. When a piece of software as widely used as Axios is compromised, the potential blast radius extends across thousands of companies, development pipelines, and live production environments, all at once. The full breadth of this incident is still being assessed, but given the popularity of the compromised package, researchers expect it to have far-reaching impacts. Early attribution points toward a sophisticated, state-sponsored threat actor: North Korean-linked hackers have been identified as suspects in the Axios hijacking.

This is not the first supply chain attack of its kind, and it will not be the last. The software ecosystem that modern businesses depend on is extraordinarily interconnected, and that interconnectedness, while enormously useful, also creates risk that is invisible to anyone not actively watching for it.

The SecureIT Promise: You Are Not in This Alone

If reading this made you feel a brief moment of anxiety, that reaction is completely reasonable. These are serious, sophisticated threats, and they can emerge at any hour, on any day, with little warning.

But here is what we want you to hold onto: you are not expected to know about Axios, npm packages, Remote Access Trojans, or supply chain attack vectors. You run a business. You have customers to serve, teams to lead, and a thousand other priorities that rightfully demand your attention. Keeping track of zero-day attacks in foundational software infrastructure is simply not your job.

It is ours.

SecureIT was built specifically for this reality. The world of cybersecurity does not pause on weekends or holidays. Threats like this one do not announce themselves in advance. Our team monitors your environments continuously, maintains active threat intelligence feeds, and responds to emerging incidents like this Axios attack from the moment credible information surfaces, not after the headlines appear.

When something like this happens, our customers should feel one thing above all else: covered.

If you are not yet a SecureIT customer and today's news has prompted you to think more seriously about your organization's security posture, we welcome that conversation. Contact us at https://secureit.is/en/contact or reach out to our team directly via lets@secureit.is email address. We will give you an honest assessment of where you stand and what meaningful protection actually looks like.

Because in a world where trusted supply trucks can be quietly intercepted before they ever reach your door, having someone watching the loading dock is not optional. It is the foundation of doing business safely.