Attackers stole a long-lived npm login token belonging to a lead maintainer axioswas the most popular HTTP client library in JavaScript and used it to publish two poisoned versions that installed a cross-platform remote access trojan. The malware targets macOS, Windows and Linux. They were live in the npm registry for about three hours before being deleted.
Axios receives over 100 million downloads per week. Wiz reports it sits roughly 80% in the cloud and code environment, touching everything from React frontends to CI/CD pipelines and serverless features. The hunter has been detected the first infections occurred 89 seconds after the release of the malicious package, confirming at least 135 compromised systems among its customers during the exposure window.
This is the third specialty npm supply chain compromise in seven months. Each was exploiting caretaker credentials. This time, the target had adopted every protection recommended by the security community.
One credential, two branches, 39 minutes
Striker took over npm Axios lead expert @jasonsaayman’s account changed his account email to an anonymous ProtonMail address and published via poisoned packets. npmcommand line interface. This completely bypassed the project’s GitHub Actions CI/CD pipeline.
The attacker never touched the Axios source code. Instead, both release branches received a single new dependency: plain-crypto-js@4.2.1. No part of the codebase imports it. The package is only available to run a post-installation script that drops the cross-platform RAT onto the developer’s machine.
The scene was accurate. Eighteen hours before the Axios releases, the attacker published a clean version of it plain-crypto-js under separate npm account to create publication history and avoid new packet scanner alerts. Then came the weaponized 4.2.1. Both launches hit the branch within 39 minutes. Three platform specific payloads are pre-built. The malware deletes itself after execution and replaces it with a clean package.json to compromise forensics.
StepSecurityas well as defining a compromise Socketcalled it the most operationally sophisticated supply chain attacks ever documented against the top 10. npm package.
Protection available on paper
Axios did the right thing. Legal 1.x releases shipped via GitHub Actions npm‘s OIDC Trusted Publisher mechanism cryptographically links each publication to an approved CI/CD workflow. The project implemented SLSA certificates of origin. By every modern measure, the safety stack seemed solid.
None of it mattered. Hunter entered the publication workflow and found the void. The project still passed NPM_TOKEN As an environment variable equivalent to OIDC credentials. When both are present, npm defaults to token. Regardless of how OIDC is configured, the long-lived classical token was the true authentication method for each publication. Aggressor should never have defeated OIDC. They walked around. The legacy token sat there as a parallel auth path and npms own hierarchy silently favored him.
“From my experience at AWS, it’s very common for legacy auth mechanisms to be stretched,” said Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, in an exclusive interview with VentureBeat. “Modern controls are enabled, but if older tokens or keys are not retired, the system silently prefers them. Just like we saw with SolarWinds, where older scripts bypassed newer monitoring.”
Caretaker Hosted on GitHub after discovering the compromise: “I’m trying to get support to figure out how this happened. I have 2FA / MFA on practically everything I interact with.”
Endor Labs is documented judicial distinction. Legal axios@1.14.0 OIDC indicated the origin, a valid publisher record, and a gitHead that links to a specific commit. Harmful axios@1.14.1 there was none. Any tool that checks the source would immediately note the gap. But checking the background is an option. No registry rejected the packet.
Three attacks, seven months, same root cause
three npm supply chain compromises occur within seven months. Each began with stolen servant credentials.
The Shai-Hulud built Shot in September 2025. A single phishing administrator account gave attackers a self-replicating foothold. More than 500 packagesharvest npm tokens, cloud credentials, and GitHub secrets as they roll out. CISA provided a tip. GitHub has been fundamentally repaired npm’s whole authentication model in response.
Then in January 2026 Koi Security’s PackageGate review mitigated six zero-day vulnerabilities in npm, pnpm, vltand Boon overcame much of the protection of the ecosystem adopted after Shai-Hulud. Lock file integrity and script blocking failed under specific conditions. Three of the four package managers were patched within weeks. npm closed the report.
Now axios. The stolen long-lived token OIDC issued RAT through both issue branches despite SLSA and every post-Shai-Hulud tightening measure.
npm After Shai-Hulud, he sent real reforms. The creation of new classic tokens was deprecated, although the pre-existing ones survived until the end of the hard cancellation period. FIDO 2FA became mandatory, granular access tokens were limited to seven days for publication, and trusted publishing through the OIDC gave projects a cryptographic alternative to stored credentials. Taken together, these changes tightened things up downstream of the caretaker account. What did not change was the account itself. Credentials remained the only point of failure.
“Credential compromises are a recurring theme npm breaches,” Baer said. “It’s not just a weak password problem. This is the structure. Without ephemeral credentials, mandatory MFA, or isolated build and signing environments, maintainer access remains the weak link.”
What npm was sent and what this attack went through
|
What do SOC leaders need? |
|
against the axios attack |
Gap |
|
Block the publication of stolen tokens |
FIDO 2FA is required. Granules, 7-day shelf life. Classic tokens are deprecated |
Bypassed. The old token was co-existed with OIDC. |
When OIDC is configured, no application deletes old icons |
|
Check the origin of the package |
OIDC Trusted Publishing via GitHub Actions. SLSA certifications |
Bypassed. Malicious versions had no source. Posted via CLI |
No gateway rejects packets that do not originate from pre-existing projects |
|
Catch malware before installing |
Automated scanning of Socket, Snyk, Aikido |
Partially. Socket marked in 6 minutes. The first infections were recorded in 89 seconds |
Detection-removal gap. Scanners catch it, it takes hours to delete the record |
|
Block post-installation execution |
–ignore-scripts is recommended in CI/CD |
Not implemented. |
postinstall remains the primary malware vector in every respect |
|
Lock dependency versions |
Through the application of the lock file |
Only effective if the lockfile was committed before the compromise. Caret ranges are resolved automatically |
are caret ranges |
What to do in your enterprise now
SOC leaders whose organizations run Node.js should treat this as an active event until they can certify clean systems. The three-hour exposure window fell during peak development hours in Asia-Pacific time zones, and overnight any CI/CD pipeline running an npm install could automatically pull the compromised version.
“The first priority is to assess the impact: what constitutes the compromised package and what downstream consumers receive?” Baer said. “Then monitoring, patching, and finally transparent reporting to management. What happened, what was detected, and what controls will prevent recurrence. Lessons from Log4j and event streaming show that speed and clarity are as important as resolution.”
-
Check the exposure. Search for lock files and CI logs
axios@1.14.1,axios@0.30.4orplain-crypto-js. Save itaxios@1.14.0oraxios@0.30.3. -
Compromise when hit. Restore affected machines from a known state. Return every available credential: npm tokens, AWS keys, SSH keys, cloud credentials, CI/CD secrets, .env values.
-
Block C2. Add sfrclak.com and 142.11.206.73 to DNS blocklists and firewall rules.
-
Check for RAT artifacts.
/Library/Caches/com.apple.act.mondOn macOS.%PROGRAMDATA%\wt.exeIn Windows./tmp/ld.py on Linux. If found, prepare a full rebuild in advance. -
Harden forward. Apply
npm ci --ignore-scriptsIn CI/CD. Request lock file installations only. Reject packages that do not originate in previous projects. Check if legacy tokens are included with OIDC in your own publishing workflows.
No one closed the credential loophole
Three attacks in seven months. Each is different in execution, same in root cause. npm‘s security model still treats individual caregiver accounts as the ultimate anchor of trust. No matter how many layers are added downstream, these accounts remain vulnerable to credential theft.
“AI detects risky packets, checks for legacy auth, and accelerates SOC response,” Baer said. “But people still control the protective credential. We reduce the risk. We don’t eliminate it.”
A forced origin certificate with manual CLI publishing completely disabled would have caught this attack before it reached the registry. As well, there will be mandatory multi-party signing, where no single servant can single-handedly push for a release. Neither applies today. npm He hinted that disabling tokens by default is on the roadmap when trusted publishing is enabled. Until shipping, every project running OIDC with the legacy token has the same blind spot axios.
An Axios maintainer made a community request. A legacy trait that no one realized was still active and ruined it all.
