Laravel 4 min read

Axios npm Supply Chain Attack

Another day, another Javascript exploit.

A computer screen displaying out of focus code and a React logo
Photo: Photo by Lautaro Andreani on Unsplash

On March 31, 2026, a significant security incident occurred when the Axios npm package was compromised through a malicious supply chain attack. The attacker, who gained access to the primary Axios maintainer's account, published malicious versions of Axios and a single dependency, plain-crypto-js@4.2.1, which included a cross-platform Remote Access Trojan (RAT). This article provides an overview of the attack, its lifecycle, and the key indicators of compromise (IOCs). We also offer immediate response actions to help developers and organizations mitigate the risks associated with this incident.

What Happened

The attacker compromised the npm account of the primary Axios maintainer, Jason Saayman, using a long-lived classic npm access token. No CVE applies, as this was a credential abuse rather than a code vulnerability. The attacker changed the maintainer's email to an attacker-controlled Proton Mail address, published malicious Axios versions (1.14.1 and 0.30.4), and added the malicious dependency to the package.json file.

Attack Lifecycle

The attack had a 19-hour window, with the following phases:

  • Staging: The attacker published a clean plain-crypto-js@4.2.0 as a reputation seed.
  • Weaponizing: The attacker published the malicious plain-crypto-js@4.2.1 with a postinstall hook.
  • Injection: The attacker published malicious Axios versions with the malicious dependency.
  • Cleanup: The attacker's self-destructing dropper wiped evidence.

Platform-Specific Payloads

The malicious payload was delivered through various platforms:

  • macOS: The binary was saved to /Library/Caches/com.apple.act.mond, disguised as an Apple daemon.
  • Windows: PowerShell was copied to %PROGRAMDATA%\wt.exe, disguised as Windows Terminal.
  • Linux: A Python script was launched with nohup for persistence.

Laravel Developers: Specific Risks

Laravel developers should be aware of the following high-risk setups:

  • Laravel apps using Vite with JS frontend (Inertia, Vue, React)
  • Projects using default Axios instance from resources/js/bootstrap.js (Laravel's CSRF docs still reference this)
  • Starter-kit projects with Sanctum-style AJAX
  • CI pipelines, preview environments, Docker builds that ran npm install on March 31, 2026

Indicators of Compromise (IOCs)

Developers should check for the following files and lockfile indicators:

  • /Library/Caches/com.apple.act.mond (macOS)
  • %PROGRAMDATA%\wt.exe (Windows)
  • /tmp/ld.py (Linux)
  • axios@1.14.1
  • axios@0.30.4
  • plain-crypto-js@4.2.1
  • @shadanai/openclaw (versions 2026.3.28-2, 2026.3.28-3, 2026.3.31-1, 2026.3.31-2)
  • @qqbrowser/openclaw-qbot (version 0.0.130)

Immediate Response Actions

  • Audit lockfiles: Check package-lock.json, yarn.lock, pnpm-lock.yaml across all repos for affected versions.
  • Check machines for RAT artifacts: Verify if the files mentioned above are present on your machines.
  • Downgrade and pin: Use axios@1.14.0 (1.x branch) or axios@0.30.3 (0.x branch), remove plain-crypto-js from node_modules, and regenerate lockfiles from a clean state.
  • Rotate all secrets: If any compromised version was installed anywhere, treat it as a full compromise and rotate all secrets.
  • Block C2 egress: Add sfrclak[.]com to DNS blocklists and egress firewall deny rules.
  • Rebuild containers: Container images built during the compromise window must be rebuilt from clean dependencies.
  • Harden npm token hygiene: Migrate from classic npm tokens to granular access tokens, enable IP allowlisting, expiration enforcement, and CIDR-scoped publish.

Key Takeaway

"A single compromised credential can weaponize an entire dependency graph affecting millions of downstream applications, with no modification to the target library's source code required." The attacker bypassed GitHub Actions CI/CD pipeline, branch protections, code review gates, and tagged release workflows simply by having a valid npm publish token.

Safe Versions

Note that the malicious versions have been removed from npm, but machines that resolved them while live remain at risk.

Sources:

snyk.io herodevs Picus Dev.to Community

Web Development
D

Dallum Brown

Writer and curator exploring the impact of technology on everyday life.

View All Articles

Subscribe to
The Brief

Our curated selection of tech news and other discoveries, delivered every month.

No spam. Unsubscribe anytime.

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to share your thoughts!

Further Reading

Laravel Boost gets a major update
Laravel

Laravel Boost gets a major update

Laravel 13: The Calm After the Storm
Web Development

Laravel 13: The Calm After the Storm

Why I built Cloud Herder
Web Development

Why I built Cloud Herder

Privacy Notice

We use essential cookies for site functionality (session management, CSRF protection) and do not track you across the web. By using this site, you acknowledge our Privacy Policy and New Zealand Privacy Act 2020 compliance.

Learn More