The attackers stole a long-lived npm access token belonging to the primary maintainer axesthe hottest HTTP client library in JavaScript, and used it to publish two poisoned versions that install a cross-platform distant access Trojan. Malicious versions goal macOS, Windows and Linux systems. They were in the npm registry for about three hours before being deleted.
Axios has over 100 million downloads per week. Wiz reports runs in roughly 80% of cloud and code environments, covering all the things from React interfaces to CI/CD pipelines to serverless functions. Huntress detected the first infections occurred 89 seconds after the malicious package was launched and confirmed at least 135 infected systems among clients inside the exposure window.
This is the third predominant one npm supply chain compromise inside seven months. Each used the caregiver’s credentials. This time, the goal applied every protection advisable by the security community.
One credential, two branches, 39 minutes
The attacker took over npm the account @jasonsaayman, the predominant maintainer of axios, modified the account’s email address to an anonymous ProtonMail address and published poisoned packages via npmcommand line interface. This completely bypassed the project’s GitHub Actions CI/CD pipeline.
The attacker never touched the Axios source code. Instead, each release branches received one recent dependency: [email protected]. No part of the codebase imports it. The package exists for the sole purpose of running a post-installation script that drops the cross-platform RAT onto the developer’s machine.
The staging was precise. Eighteen hours before axios was released, the attacker released a clean version plain-crypto-js under a separate one npm account to create a posting history and avoid scanner alerts about recent packages. Then got here armed 4.2.1. Both branches of the release hit inside 39 minutes. Three platform-specific payloads were initially built. The malware deletes itself after execution and replaces it with a clean package.json file to thwart forensic inspection.
Step Securitywhich indicated a compromise Nestcalled it one of the most operationally sophisticated supply chain attacks ever documented out of top 10 attacks npm package.
A defense that existed on paper
Axios did the right thing. Legal 1.x releases delivered via GitHub Actions using npmOIDC Trusted Publisher engine that cryptographically connects each publication to a verified CI/CD workflow. The project had SLSA certificates of origin. By any modern standard, the security stack looked solid.
None of this mattered. Huntress delved into the publishing process and I discovered a loophole. The project still passed NPM_TOKEN as an environment variable right next to the OIDC credentials. When each are present, above sea level token by default. The long-lived classic token was a true authentication method for every publication, regardless of OIDC configuration. The attacker never had to defeat the OIDC. They walked around him. The legacy token was there as a parallel authentication path and npmits own hierarchy quietly preferred it.
“In my experience at AWS, very often old authentication mechanisms work,” said Merritt Baer, CSO at Enkrypt AI and former deputy CISO at AWS, in an exclusive interview with VentureBeat. “Modern controls are implemented, but if older tokens or keys are not retired, the system silently favors them. Similar to what we saw with SolarWinds, where older scripts bypassed newer monitoring.”
Guardian published on GitHub after discovering the compromise: “I’m trying to get support to understand how this even happened. I have 2FA/MFA on basically everything I interact with.”
Documented Endor Laboratory forensic difference. Legitimate [email protected] it showed the OIDC origin, trusted publisher record and gitHead linking to a specific commit. Mean [email protected] he had none. Any provenance tool would immediately flag a vulnerability. But origin verification is voluntary. No registry gateway rejected the packet.
Three attacks, seven months, same cause
Three npm supply chain compromises inside seven months. Each began with stolen caregiver credentials.
The Shai-Hulud worm hit in September 2025. A single compromised custodian account gave attackers a foothold that self-replicated throughout over 500 parcelsharvest npm tokens, cloud credentials, and GitHub secrets as they spread. CISA issued a suggestion. GitHub renovated npm’the entire authentication model in response.
Then in January 2026 Koi Security’s PackageGate Research six zero-day vulnerabilities in npm have been removed, pnpm, vltand Bun, who broke through the defenses the ecosystem had adopted after Shai-Hulud. Lockfile integrity and script locking failed under certain conditions. Three of the 4 package managers were patched inside a few weeks. npm closed the report.
Now the axes. The stolen long-lived token posted RAT on each release branches despite OIDC, SLSA, and all post-Shai-Hulud hardening measures implemented.
npm he sent real reforms after Shai-Hulud. The creation of recent classic tokens has turn into obsolete, although existing ones have survived until the final retirement date. FIDO 2FA became mandatory, granular access tokens were limited to seven days for publication, and trusted publishing via OIDC provided projects with a cryptographic alternative to stored credentials. Taken together, these changes have strengthened all the things below the caregiver account. The only thing they didn’t change was the account itself. Credentials remained a single point of failure.
“Credentials compromise is a recurring theme npm breaches,” Baer said. “It’s not just a weak password problem. It’s structural. Without temporary credentials, enforced MFA, or isolated build and signing environments, maintainer access remains the weak link.”
What npm sent vs. what this attack went through
|
What SOC leaders need |
|
versus axial attack |
Gap |
|
Block stolen tokens before publication |
FIDO 2FA required. Granular tokens, validity 7 days. Classic tokens withdrawn |
Omitted. The legacy token co-existed with OIDC. |
No enforcement removes legacy tokens when OIDC is configured |
|
Check the origin of the package |
Trusted OIDC publishing via GitHub actions. SLSA approvals |
Omitted. The malicious versions had no origin. Published via CLI |
No gateway discards packets that lack origins from projects that previously had them |
|
Catch malware before installation |
Auto scan Socket, Snyk, Aikido |
Partial. Nest marked within 6 minutes. The first infections appeared at 89 seconds |
Vulnerability from detection to removal. Scanners pick this up, it takes hours to remove the registry |
|
Block post-installation execution |
–ignore-scripts recommended in CI/CD |
Not enforced. |
postinstall remains the main malware vector in every major |
|
Lock dependency versions |
Lockfile enforcement via |
Only effective if the lockfile was approved before being compromised. Caret ranges have been resolved automatically |
Caret ranges are |
What you can do in your company now
SOC leaders whose organizations use Node.js should treat this as an active incident until they can confirm that the systems are clean. The three-hour exposure window fell during peak development hours in Asia-Pacific time zones, and any CI/CD pipeline that ran npm install overnight could automatically download the compromised version.
“The first priority is to assess the impact: who built and downstream consumers adopted the compromised package?” Baer said. “Then security, patching, and finally transparent reporting to management. What happened, what was exposed, and what controls will prevent it from happening again. Insights from log4j and the event stream show that speed and transparency are just as vital as the patch itself.”
-
Check the exposure. Search for lock files and CI logs
[email protected],[email protected]Orplain-crypto-js. Pin to[email protected]Or[email protected]. -
Assume a compromise in case of a hit. Rebuild affected machines to a known good condition. Rotate all available credentials: npm tokens, AWS keys, SSH keys, cloud credentials, CI/CD keys, .env values.
-
Lock C2. To add sfrclak.com and 142.11.206.73 to DNS blocklists and firewall rules.
-
Check for RAT artifacts.
/Library/Caches/com.apple.act.mondon macOS.%PROGRAMDATA%wt.exein Windows./tmp/ld.py on Linux. If found, perform a full rebuild. -
Harden is moving forward. Enforce
npm ci --ignore-scriptsin CI/CD. Require lockfile-only installations. Discard packages that lack origins from projects that previously had them. Verify that legacy tokens coexist with OIDC in your own publishing processes.
A reference gap that no one has closed
Three attacks in seven months. Each different in execution, identical in root cause. npmThe security model still treats individual caregiver accounts as the ultimate anchor of trust. These accounts remain vulnerable to credential compromise no matter how many layers are added later in the process.
“AI detects risky packets, checks legacy credentials and accelerates SOC response,” Baer said. “But people still control caregiver credentials. We’re mitigating the risk. We’re not eliminating it.”
Mandatory attestation of origin, where manual publishing via the CLI is completely disabled, could detect this attack before it reaches the registry. The same would apply to mandatory multi-party signing, where no single custodian can push through a release on their very own. None of them are enforced today. npm indicated that disabling tokens by default when trusted publishing is enabled is in the works. Until it ships, any project using OIDC along with the legacy token has the same blind spot axes.
The axios maintainer did what the community asked for. The legacy token that no one knew about was still energetic and questioned all of this.