Axios Supply‑Chain Attack: 300 Million Weekly Downloads, Remote‑Control Trojan Inserted

Axios, a ubiquitous HTTP client for JavaScript and Node.js, was targeted in a supply‑chain attack that leveraged its 300 million weekly installations.

Attack Timeline

On 2023‑03‑30 05:57 UTC the attacker published [email protected] as a clean “bait” package. Later that day, at 23:59 UTC, a malicious version [email protected] was released. On 2023‑03‑31 00:21 UTC the compromised npm account jasonsaayman published [email protected] that listed the malicious package as a dependency. Within 39 minutes [email protected] was republished the same way, affecting older projects. The malicious packages were removed around 03:15 UTC, giving an attack window of roughly three hours.

Malicious Payload Mechanics

The injected [email protected] does not appear in Axios source code; it only defines a postinstall script. npm executes this script after installation, which runs setup.js. The script is double‑obfuscated: first XOR‑encrypted with the key OrDeR_7077, then Base64‑encoded and reversed.

Decoding reveals a cross‑platform trojan installer. On macOS it writes a binary to /Library/Caches/com.apple.act.mond via AppleScript. On Windows it drops a %PROGRAMDATA%\wt.exe using VBScript and PowerShell. On Linux it fetches a payload to /tmp/ld.py with curl. All three platforms use the same logic and run as a daemon.

Command‑and‑Control

The trojan contacts sfrclak.com:8000. StepSecurity observed two callbacks: the first 1.1 seconds after installation, followed by a persistent nohup orphan process that reconnects if terminated.

Evidence Removal

After execution, setup.js deletes itself and replaces the malicious package.json with a clean version, leaving no visible postinstall hook in node_modules/plain-crypto-js.

Impact Assessment

Only two Axios versions are affected: [email protected] and [email protected]. Safe versions are [email protected] and [email protected]. Users can check their version with npm list axios and downgrade if necessary.

Mitigation Steps

Lock to a safe version: npm install [email protected] (or [email protected]).

If the malicious version is already installed, delete the injected package and reinstall with --ignore‑scripts, then rotate all credentials (npm tokens, cloud keys, SSH keys, CI/CD secrets) and rebuild affected machines.

Add sfrclak.com and its IP 142.11.206.73 to firewall rules.

Broader Trend

Supply‑chain attacks on the npm ecosystem are increasing, using tactics such as bait packages, token theft, lock‑file manipulation, and self‑destructing payloads. As Andrej Karpathy warned, any project that runs npm install without a locked version is vulnerable.

Long‑Term Prevention

For individual developers: use npm ci --ignore‑scripts in CI/CD pipelines, lock dependencies with package‑lock.json or the --exact flag, and regularly audit node_modules for unused packages.

For teams and enterprises: host a private npm registry with review, restrict outbound network access in build environments, and enforce a dependency‑audit workflow for new packages and version upgrades.

The axios incident shows that the trust chain of open‑source ecosystems is fragile and requires continuous vigilance.