The Axios Breach A Masterclass in Stealth and Supply Chain Deception

Axios (v1.14.1 & v0.30.4) hit by a major supply chain attack. A cross-platform RAT was found in npm dependencies. Downgrade now to secure your system!

The JavaScript community woke up to a nightmare this week as Axios, the ubiquitous HTTP client used by millions of developers, fell victim to a highly sophisticated supply chain attack. Unlike typical "shotgun" approaches that rely on luck, this campaign showed a level of surgical precision and restraint rarely seen in the wild.

The Hijack: Trust as a Weapon

The attack didn't happen because of a bug in the Axios code. Instead, it was a failure of identity security. By compromising the npm account of a primary maintainer, attackers gained the "keys to the kingdom."

They didn't touch a single line of Axios source code doing so would have triggered alerts during a standard code diff. Instead, they quietly added a malicious transitive dependency called plain-crypto-js. To an unsuspecting developer or a simple security scanner, it looked like a legitimate new sub-library.

Cross-Platform Warfare

What makes this attack particularly chilling is its versatility. The malware was designed to identify the host’s operating system and deliver a custom-tailored payload for each:

Windows: Disguises itself as the Windows Terminal (wt.exe) and uses PowerShell to establish a persistent backlink.
macOS: Uses AppleScript to drop a sophisticated C++ binary into system cache folders.
Linux: Deploys a Python-based Remote Access Trojan (RAT) that runs silently in the background.

Security researchers have noted a significant "fingerprint" overlap between this malware and WAVESHAPER, a tool frequently linked to state-sponsored North Korean threat actors. This suggests the breach wasn't just for profit, but likely for long-term espionage.

The "Self-Destruct" Protocol

The attackers were obsessed with covering their tracks. The malware included a "cleanup" phase: after the infection was successful, it would automatically delete its installation scripts and overwrite its own package.json with a clean version. This effectively removed the forensic "smoking gun," making it incredibly difficult for developers to realize they had been breached after the fact.

Source: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
(Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account)

Immediate Action Required

If you are managing an application that relies on Axios, the time to audit is now.

Check Your Versions: If you are on 1.14.1 or 0.30.4, you are at risk.
Downgrade Immediately: Move back to 1.14.0 or 0.30.3.
Scour for Artifacts: Look for unusual files like /tmp/ld.py or %PROGRAMDATA%\wt.exe.
Reset Secrets: If you find any sign of infection, assume all environment variables and API keys on that machine have been compromised and rotate them immediately.

A Final Thought for Developers

This incident is a sobering reminder that our security is only as strong as the "invisible" dependencies we pull into our projects. In an era where a single compromised account can put 83 million weekly users at risk, automated dependency pinning and MFA for package maintainers are no longer "best practices" they are survival requirements.

This report is based on findings originally published by The Hacker News. For a full technical breakdown of the UNC1069 threat actor, visit their Read Here