Post-Mortem: The March 2026 Axios Supply Chain Attack

The Incident

On March 31, 2026, a high-profile supply chain attack targeted Axios, a critical HTTP client for the JavaScript ecosystem. By hijacking a maintainer's NPM account, attackers injected a malicious dependency, plain-crypto-js, which deployed a cross-platform Remote Access Trojan (RAT).

---

Incident Summary

Detail	Information
Affected Versions	axios@1.14.1, axios@0.30.4
Malicious Dependency	plain-crypto-js@4.2.1
Payload	Cross-platform RAT (Linux, macOS, Windows)
C2 Server	sfrclak.com:8000
Resolution Window	Live for ~3 hours (00:21 – 03:29 UTC)

---

Technical Deep Dive

The attack bypassed standard security audits by hiding the malicious logic within a sub-dependency. Once installed via a standard npm install, the payload scanned the host machine for:

• Environment Variables: .env files and active shell exports.

• Auth Tokens: ~/.npmrc and ~/.aws/credentials.

• SSH Keys: Unprotected private keys in ~/.ssh.

Data was exfiltrated via POST requests to the sfrclak.com Command & Control (C2) server.

---

Remediation & Verification

To ensure a development environment is sanitized, the following protocol was executed:

1. Network Sinkholing: Manually mapping the C2 domain to 127.0.0.1 in /etc/hosts to prevent further exfiltration and "kill" the phone-home capability.

2. Lockfile Audit: Scanning all local projects for traces of the malicious package using a space-safe search:

   Bash

   find . -type f \( -name "package-lock.json" -o -name "yarn.lock" \) -print0 | xargs -0 grep "plain-crypto-js"
   

3. Environment Sanitization: Clearing the global NPM cache and updating tool managers (like mise) to ensure only verified versions are used moving forward.

[!TIP]

Pro-Tip: Always use npm audit or tools like Snyk to monitor your dependency tree for "hidden" sub-dependencies that do not appear directly in your package.json.