Piliar.me

Axios Got Hacked. Here's How to Check If You're Affected.

The Axios npm package was compromised on March 31. Two malicious versions shipped a RAT to every OS. Here's what happened and how to check if axios is hiding somewhere in your dependency tree.

3 min read
Security npm React Native Supply Chain JavaScript

Last week, attackers ran a social engineering campaign against the lead Axios maintainer, got a RAT onto his machine, and used that access to publish two poisoned npm versions — 1.14.1 and 0.30.4. Both included a hidden dependency called plain-crypto-js that installed a remote access trojan the moment npm install ran. macOS, Windows, Linux. All three.

The malicious versions were live for about three hours before npm pulled them. That doesn’t sound like much — until you remember Axios gets roughly 100 million downloads per week.

What actually happened

The attacker didn’t touch the Axios source code. They added one line to package.json — a new dependency that nobody would import, because it wasn’t meant to be imported. It was meant to run a postinstall script. That script called a command-and-control server, downloaded a platform-specific payload, executed it, and then deleted itself. If you checked your node_modules after the fact, everything looked clean.

The whole thing was pre-staged 18 hours in advance. Both release branches were hit within 39 minutes of each other. When community members filed GitHub issues about the compromise, the attacker deleted them using the hijacked account. This wasn’t a kid messing around.

How to check your projects

Axios has over 174,000 dependents on npm. You might not use it directly, but something in your dependency tree probably does. Here’s how to find out.

Check your lockfile (the fast way):

grep -E "axios@(1\.14\.1|0\.30\.4)|plain-crypto-js" package-lock.json yarn.lock 2>/dev/null

This searches both lockfile types for the bad versions and the malicious dependency in one shot. If anything comes back, that machine needs to be treated as compromised.

Check your full dependency tree:

npm list axios

This shows every instance of axios in your project — direct or transitive. If you see 1.14.1 or 0.30.4 anywhere, same story.

Check for the malicious dependency directly:

find node_modules -name "plain-crypto-js" -type d

If that directory exists, the payload ran on your machine.

Check network logs (if you have monitoring):

Look for connections to sfrclak[.]com or 142.11.206.73 on port 8000. That’s the command-and-control server the RAT called home to.

If you’re affected

Downgrade to the last clean version and skip install scripts:

npm install axios@1.14.0 --ignore-scripts

If you’re on the 0.x branch, the safe version is 0.30.3.

Remove the malicious package:

rm -rf node_modules/plain-crypto-js

And then the part nobody wants to hear: rotate every secret that was accessible from that machine. API keys, database credentials, tokens, SSH keys. The RAT collected filesystem info and running processes and sent it all to the attacker’s server. If it ran, assume they saw everything the machine could see.

The uncomfortable part

The thing that sticks with me is how invisible this was. No source code changes, or weird imports. Just one extra line in package.json and a postinstall hook that cleaned up after itself. If you weren’t watching the three-hour window it was live, you’d never know by looking at your node_modules.