Post-Mortem: The March 2026 Axios Supply Chain Attack

The Incident On March 31, 2026, a high-profile supply chain attack targeted Axios , a critical HTTP client for the JavaScript ecosystem. By hijacking a maintainer's NPM account, attackers injected a malicious dependency, plain-crypto-js , which deployed a cross-platform Remote Access Trojan (RAT). Incident Summary Detail Information Affected Versions axios@1.14.1 , axios@0.30.4 Malicious Dependency plain-crypto-js@4.2.1 Payload Cross-platform RAT (Linux, macOS, Windows) C2 Server sfrclak.com:8000 Resolution Window Live for ~3 hours (00:21 – 03:29 UTC) Technical Deep Dive The attack bypassed standard security audits by hiding the malicious logic within a sub-dependency. Once installed via a standard npm install , the payload scanned the host machine for: Environment Variables: .env files and active shell exports. Auth Tokens: ~/.npmrc and ~/.aws/credentials . SSH Keys: Unprotected private keys in ~/.ssh . Data was exfiltrated via POST requests to the sfrclak.com Command & Control (C2) s