Axios NPM supply chain incident

Overview of the recent Axios NPM supply chain incident including details of the payloads delivered from actor-controlled infrastructure.

Cisco Talos is actively investigating the March 31, 2026 supply chain attack on the official Axios node package manager (npm) package during which two malicious versions (v1. 14. 1 and v0. 30. 4) were deployed. Axios is one of the more popular JavaScript libraries with as many as 100 million downloads per week. Axios is a widely-deployed HTTP client library for JavaScript that simplifies HTTP requests, specifically for REST endpoints. The malicious packages were only available for approximately three hours, but if downloaded Talos strongly encourages that all deployments should be rolled back to previous known safe versions (v1. 14.

0 or v0. 30. 3). Additionally, Talos strongly recommends users and administrators investigate any systems that downloaded the malicious package for follow-on payloads from actor-controlled infrastructure. Details of supply chain attack The primary modification of the packages introduced a fake runtime dependency (plain-crypto-js) that executes via post-install without any user interaction required. Upon execution, the dependency reaches out to actor-controlled infrastructure (142[. ]11[. ]206[. ]73) with operating system information to deliver a platform-specific payload to Linux, MacOS, or Windows. On MacOS, a binary, “com. apple.

act. mond”, is downloaded and run using zsh. Windows is delivered a ps1 file, which copies the legitimate powershell executable to “%PROGRAM DATA%\wt. exe”, and executes the downloaded ps1 file with hidden and execution policy bypass flags. On Linux, a Python backdoor is downloaded and executed. The payload is a remote access trojan (RAT) with typical associated capabilities allowing the actor to gather information and run additional payloads. Impact As with most supply chain attacks, the full impact will likely take some time to uncover.

The threat actors exfiltrated credentials along with remote management capabilities.