[Emergency Security Report] Axios Supply Chain Attack: 3 Hours That Shook the npm Ecosystem
"The moment you clicked npm install, your server's control might have been compromised."
Yesterday (March 31, 2026), the Axios library, the heart of the JavaScript ecosystem, suffered an unprecedented Supply Chain Attack. A maintainer's account was hijacked, and a version embedded with malware was released.
We analyze the full story of this 'digital slaughter' that occurred in just 3 hours and organize action items you should take right now to protect your server and development environment.
📋 Emergency Security Report Table of Contents
- How was it breached? The attacker's penetration path
- Actions when malware is planted (Payload Analysis)
- 🛡️ npm vs pnpm: Why were pnpm users safe?
- 🚨 Verification method: How to check if you are infected
- 🛠️ Emergency Action Guide: Review, Discard, and Rebuild
1. How was it breached? The attacker's penetration path
The attacker did not hack the Axios source code. Instead, they targeted the npm account of a maintainer with publishing rights.
- Vulnerable Account Hijacking: An account of one of the lead maintainers was compromised.
- Clever Version Publication: The attacker immediately published versions
axios@1.14.1andaxios@0.30.4upon account takeover. These versions appear to work normally on the surface but contained deadly dependencies inside.
2. Actions when malware is planted (Payload Analysis)
The key to this attack is the hidden dependency plain-crypto-js@4.2.1 added to package.json.
🧪 Malware Execution Process (Attack Workflow)
graph TD
A[npm install executed] --> B[plain-crypto-js installed]
B --> C[postinstall script triggered]
C --> D{Determine OS}
D -- Win/Mac/Linux --> E[Send beacon to C2 server]
E --> F[Download additional RAT payload]
F --> G[Start stealing sensitive information]
G --> H[Self-delete and destroy traces]
It used a sophisticated method of immediately stealing AWS/GCP credentials, SSH keys, and npm tokens from inside the system, sending them to a C2 server, and then deleting its own traces.
3. 🛡️ npm vs pnpm: Why were pnpm users safe?
Interestingly, in this attack, environments using pnpm are being reported as relatively safe.
| Manager | Infection Status | Reason |
|---|---|---|
| npm | High Risk (Infected) | Executes lifecycle scripts (postinstall) of all dependencies by default |
| pnpm | Safe (Blocked) | Script execution for dependencies is limited by default, and strict isolation blocks abnormal access by malicious payloads |
It is analyzed that pnpm's Content-addressable store and strict link structure neutralized the attacker's postinstall injection attempt. The choice of a modern package manager has become a crossroad for security.
4. 🚨 Verification method: How to check if you are infected
Run the following command in your terminal right now to check for infection.
① Check Package logs and Lockfiles
# Search for the malicious package in package-lock.json.
grep -r "plain-crypto-js" .
If even one of these is detected, the environment is completely contaminated.
② Check Network Connections
Check for connections to unfamiliar external IPs.
- Linux/Mac:
lsof -i -P | grep -i "ESTABLISHED"
5. 🛠️ Emergency Action Guide: Review, Discard, and Rebuild
I recommend as the Director: Don't try to 'fix' it. 'Discard' is the answer.
- Isolation and Reinstallation: Immediately disconnect infected equipment and rebuild using a clean image from before March 30.
- Revoke All Credentials: Discard all API keys and passwords exposed on the equipment.
- Lockfile Rollback: Freeze the
axiosversion at1.14.0.
🏁 Conclusion: Security starts with the choice of tools.
"The tools you choose can determine the survival of your infrastructure."
This incident proved the security superiority of modern tools like pnpm. I hope you have the insight to consider 'defensive design' as well as convenience when deciding on a technology stack.
#AxiosIncident #npmSecurity #pnpmVictory #SupplyChainAttack #Malware #RAT #NodejsSecurity #DeveloperRoutine #SystemSecurity #2026SecurityResponse