Axios npm Supply Chain Attack: What It Is, Who Did It, and What You Must Do Now

If you use JavaScript to build websites or apps — or you know someone who does — there is an urgent security alert you need to know about. A popular tool called Axios, used by over 70 million developers every week, was secretly poisoned by hackers on March 31, 2026. This is what security experts call a supply chain attack — and it’s one of the sneakiest, most dangerous types of cyberattack out there.

Microsoft’s security team discovered and published details of the attack on April 1, 2026. Here’s everything you need to know — in plain English.

What Is Axios and Why Should You Care?

Think of Axios as a messenger. Developers use it to send and receive data between websites and servers — things like logging into an app, fetching your bank balance, or loading your social media feed. It’s one of the most widely used tools in web development, with over 70 million downloads every single week.

Because so many apps depend on Axios, it became the perfect target. Hackers didn’t need to break into your computer directly — they just needed to poison the tool developers were already using.

What Happened? The Attack Explained Simply

On March 31, 2026, attackers secretly released two fake, malicious versions of Axios — versions 1.14.1 and 0.30.4. These looked identical to the real, safe versions. The code inside Axios itself wasn’t changed — everything appeared normal. Instead, the attackers snuck in a hidden extra package called plain-crypto-js that ran automatically the moment a developer installed the update.

Here’s the truly alarming part: no one had to click anything. No phishing link. No suspicious attachment. The moment the package was installed, the malware silently activated in the background and connected to a hacker-controlled server to download a remote access trojan (RAT) — essentially giving the attackers full control of the infected computer.

What Is a Supply Chain Attack?

Imagine you trust a food supplier to deliver fresh ingredients to your restaurant. Instead of breaking into your kitchen directly, an attacker poisons the ingredient supply before it even reaches you. You cook with the contaminated ingredients without knowing anything is wrong — and your customers get sick.

A software supply chain attack works the same way. Attackers target the tools and packages that developers already trust and use, rather than attacking end-users directly. This makes them extremely hard to detect and dangerous at scale.

Who Is Behind This Attack?

Microsoft’s security researchers have attributed this attack to Sapphire Sleet — a North Korean state-sponsored hacking group that has been active since at least 2020. This isn’t a random criminal gang. This is a government-backed operation.

Sapphire Sleet has a specific focus: stealing cryptocurrency and financial data. They’ve previously targeted banks, crypto exchanges, venture capital firms, and blockchain companies — primarily in the United States, and across Asia and the Middle East. They are also known by other names in the security community, including BlueNoroff and UNC1069.

Their typical playbook involves reaching out on LinkedIn, posing as investors or recruiters, and luring developers into downloading malicious files disguised as legitimate documents or software. This npm attack follows that same philosophy — abuse trust to get in the door.

What Did the Malware Actually Do?

Once the malicious Axios version was installed, a hidden program silently connected to the attackers’ server and downloaded a Remote Access Trojan (RAT) — a type of malware that lets attackers control your computer from anywhere in the world.

The malware was designed to work on all three major operating systems:

• Windows — dropped a hidden PowerShell script that survives reboots by adding itself to Windows startup
• macOS — installed a hidden binary disguised as a legitimate Apple system process
• Linux — dropped a Python script that runs silently in the background

Once installed, the RAT could:

• Spy on everything on the infected machine
• Steal saved passwords, API keys, crypto wallet credentials, and secrets from code repositories
• Execute commands remotely — the attacker has full keyboard-level control
• Download and run even more malware
• Cover its tracks by deleting evidence of the initial infection

What makes this especially nasty: after installation, the malware deleted the files that showed how it got there — making forensic investigation much harder.

Who Is at Risk?

You’re at risk if any of the following apply:

• You are a developer who uses Axios in your JavaScript or Node.js projects
• Your project has axios listed in its package.json with a ^ or ~ before the version number (e.g. "axios": "^1.14.0") — this means it auto-updates
• You ran npm install or npm update after March 31, 2026
• Your automated build system (CI/CD pipeline) installed or updated packages recently
• You work with cryptocurrency, financial data, or sensitive credentials stored on your development machine

The affected versions are axios 1.14.1 and axios 0.30.4. If you are on any other version, you are not directly affected — but keep reading, because the protective steps below matter regardless.

What Should You Do Right Now?

If You’re a Developer

1. Check your Axios version immediately. Run npm list axios in your project folder. If it shows 1.14.1 or 0.30.4, you are affected.
2. Downgrade to a safe version right away. Run: npm install axios@1.14.0 or npm install axios@0.30.3
3. Clear your npm cache: npm cache clean --force
4. Rotate all your secrets and credentials — API keys, tokens, passwords, crypto wallet keys — especially anything stored on or accessible from the affected machine.
5. Check your network logs for any connections to sfrclak.com or IP 142.11.206.73 on port 8000. If you see these, your system was compromised.
6. Pin your Axios version. Remove the ^ from your package.json: change "axios": "^1.14.0" to "axios": "1.14.0" — no caret means no auto-updates.
7. Disable automated dependency bots (Dependabot, Renovate) for Axios until further notice.

If You’re a Business Owner or IT Manager

1. Alert your development team immediately and share this post.
2. Audit all applications and CI/CD pipelines that use Axios.
3. Treat any machine that installed the affected versions as potentially compromised — isolate, scan, and rebuild if necessary.
4. Review your software supply chain security policy — do you know what third-party packages your apps depend on?

The Bigger Lesson: Supply Chain Attacks Are the New Normal

This attack is part of a growing trend. Modern software is built on top of thousands of open-source packages — tools written by other developers that everyone shares and reuses. This is incredibly efficient, but it creates a massive security blind spot: if any one of those packages is compromised, every app that uses it is instantly at risk.

We’ve seen this pattern before — the SolarWinds attack in 2020, the XZ Utils backdoor in 2024, and now the Axios npm compromise in 2026. Each time, attackers target the supply chain rather than individual victims, because the payoff is enormous: one poisoned package can infect millions of machines.

The takeaway for everyone — developer or not — is that cybersecurity is no longer just about avoiding suspicious emails or sketchy websites. The software tools we trust are themselves becoming attack vectors. Organizations must:

• Know what’s in their software (this is called a Software Bill of Materials, or SBOM)
• Pin dependency versions and avoid blind auto-updates
• Monitor outbound network traffic from development and production systems
• Treat developer machines as high-value targets — they often hold the keys to the kingdom

Quick Summary

• What: Axios npm package versions 1.14.1 and 0.30.4 were poisoned with malware
• When: March 31, 2026 — discovered and disclosed by Microsoft on April 1, 2026
• Who did it: Sapphire Sleet — a North Korean state-sponsored hacking group
• Goal: Steal credentials, crypto wallets, and gain remote access to developer machines
• Safe versions: axios 1.14.0 or 0.30.3 (or earlier)
• What to do: Downgrade, rotate secrets, check for C2 connections, pin your versions

Stay tuned to InformBytes for the latest cybersecurity news explained simply. If this post helped you, share it with a developer you know — it could save them from a very bad day.