One Stolen Token, 100 Million Downloads: Inside the axios Attack

Eighteen hours of staging. Thirty-nine minutes of execution. Zero lines of malicious code inside the target library itself.

Sometime around midnight UTC on March 31, 2026, an attacker published two backdoored versions of axios to the npm registry — [email protected], tagged “latest,” and [email protected], tagged “legacy.” A default npm install axios resolved to a poisoned package. Axios pulls roughly 100 million downloads per week. By the time security firm StepSecurity detected the anomaly, the malicious releases had already been pulled into developer machines and CI pipelines worldwide.

The attacker didn’t touch axios’s source code. They didn’t need to.

A Stolen Token, a Swapped Email

The attack began with the compromise of the npm account belonging to “jasonsaayman,” axios’s primary maintainer. The attacker changed the account’s registered email to a ProtonMail address — [email protected] — and obtained a long-lived classic npm access token, according to StepSecurity’s analysis.

Every legitimate recent axios release, including version 1.14.0 published three days earlier, went through GitHub Actions with npm’s OIDC Trusted Publisher mechanism. Those tokens are ephemeral and cryptographically tied to a specific workflow. The attacker couldn’t steal one. Instead, they used the classic access token to publish manually via the npm CLI, bypassing the project’s CI/CD pipeline entirely.

The forensic trail is blunt. The legitimate 1.14.0 lists “GitHub Actions” as the publisher with an OIDC binding. Version 1.14.1 lists “jasonsaayman” with a ProtonMail address, no OIDC, no git commit, no corresponding tag in the GitHub repository.

One Dependency, Carefully Staged

Across all 86 files in the axios package, exactly one changed between versions 1.14.0 and 1.14.1: package.json. Three edits — a version bump, the addition of plain-crypto-js@^4.2.1, and the removal of the prepare script (which ran husky pre-commit checks). The package had never appeared in any legitimate axios release.

The attacker staged it 18 hours in advance. A clean version, 4.2.0, was published first to establish publishing history and evade “brand-new package” alarms from security scanners. The malicious 4.2.1 followed, carrying a postinstall hook — node setup.js — that fired the moment npm finished resolving dependencies.

Within two seconds of npm install, the dropper was calling home to sfrclak.com:8000.

A RAT Built for Every Platform

The dropper deployed three implementations of the same remote access trojan — PowerShell for Windows, compiled C++ for macOS, Python for Linux — built to an identical specification. Same C2 protocol. Same command set: kill, runscript, peinject, rundir. Same 60-second beacon interval. Same spoofed Internet Explorer 8 user-agent string, which is anachronistic on every modern platform and serves as a useful detection signal.

On macOS, the RAT installed itself as a system daemon at /Library/Caches/com.apple.act.mond. On Windows, it copied PowerShell to %PROGRAMDATA%\wt.exe — mimicking Windows Terminal — and established persistence via a Registry Run key. On Linux, it dropped a Python script to /tmp/ld.py. The macOS and Linux variants lacked persistence mechanisms, suggesting the operation prioritized quick data exfiltration or planned to deploy persistence through secondary payloads.

After execution, the dropper deleted itself and swapped its own package.json with a clean decoy. A developer inspecting node_modules afterward would find nothing amiss.

“This was not opportunistic,” said Ashish Kurmi, StepSecurity’s CTO and co-founder. “The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes.”

Pyongyang’s Fingerprints

Google’s Threat Intelligence Group attributed the attack to UNC1069, a suspected North Korean threat actor. The macOS binary shows significant code overlap with WAVESHAPER, a C++ backdoor tracked by Mandiant and linked to the same cluster, according to Elastic Security Labs. GTIG chief analyst John Hultquist confirmed the attack is unrelated to the recent TeamPCP supply chain compromises.

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency,” Hultquist told The Register. “Given the popularity of the compromised package, we expect it will have far reaching impacts.”

The Structural Problem

The axios compromise was executed with discipline, but the vulnerability it exploited is mundane. A single maintainer account, guarded by a long-lived token, controlled the integrity of a package with 100 million weekly downloads. OIDC trusted publishing exists, but it only protects releases that go through the pipeline. A stolen classic token circumvents it entirely.

The blast radius extends beyond direct axios users. Socket, a supply chain security firm, identified two additional packages — @shadanai/openclaw and @qqbrowser/openclaw-qbot — distributing the same malware through vendored axios dependencies.

What to Do Now

Developers who installed either affected version should assume compromise. The remediation checklist: downgrade to [email protected] or 0.30.3, check for RAT artifacts on all three platforms, rotate all credentials, audit CI/CD pipeline runs, and block egress traffic to sfrclak.com.

The malicious packages have been removed from npm. The cleanup will take considerably longer.

Sources

Supply chain blast: Top npm package backdoored to drop dirty RAT on dev machines — The Register
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan — StepSecurity
Inside the Axios supply chain compromise - one RAT to rule them all — Elastic Security Labs
Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account — The Hacker News

Discussion (8)

tech_dave_83

just did npm install axios like an hour ago, should i be worried?? article says 100 million downloads thats insane

2 ↑

nothingburger

This is a nothingburger. The malicious packages were up for what, 39 minutes? StepSecurity caught it, npm pulled them down. The system worked. Everyone wringing their hands about supply chain security needs to touch grass.

14 ↑

39 minutes is plenty of time to hit thousands of CI pipelines that auto-run on push. The "system working" doesn't help the people who already got a RAT on their build server.

16 ↑

~mira

one maintainer account, one token, 100 million downloads a week... the entire npm ecosystem is a house of cards held together by github actions and vibes. love that the attacker just swapped an email to protonmail and walked right in. truly we have built something beautiful

31 ↑

Sarah K.

The OIDC trusted publisher mechanism actually did its job here — it's just that classic tokens exist alongside it as a bypass. That's the real structural issue. As long as npm allows long-lived classic tokens to coexist with OIDC bindings, you have two doors and only one is locked. The whole "we use OIDC" pitch means nothing if you don't revoke the old keys.

22 ↑

Linda M. Rojas

I appreciate that the article distinguishes between the macOS/Linux persistence gaps and the Windows variant. The Registry Run key on Windows versus the lack of persistence on the other two platforms suggests this was either still in an early deployment phase or was prioritizing Windows environments for follow-on activity. The spoofed IE8 user-agent string is a particularly useful detail — detection teams should be retroactively querying their logs for that signature.

9 ↑

devmax_power

How does the maintainer not have 2FA enabled?? Jason should be personally liable for this. You're maintaining a package with 100M weekly downloads and you're guarding it with some token from 2015? Unreal. Open source maintainers want all the credit and none of the accountability.

7 ↑

chunkstyle

North Korea is deploying RATs through npm packages and we're all just like "anyway here's my sprint retrospective." The IE8 user-agent thing is sending me though. Imagine being a world-class nation-state threat actor and your big tell is pretending to be Internet Explorer 8 in 2026. Also naming your malware binary wt.exe to look like Windows Terminal is honestly iconic.

18 ↑