Smiley Face

unknown

On March 31, 2026, attackers compromised an axios npm maintainer account and published two backdoored versions (1.14.1 and 0.30.4) containing a malicious dependency called plain-crypto-js. This dependency runs a postinstall script that downloads and executes a remote access trojan on macOS, Windows, and Linux, then erases its own traces. Safe versions are axios@1.14.0 and axios@0.30.3. Immediate steps include checking lockfiles for the malicious versions, searching network logs for connections to sfrclak.com, rotating all credentials if compromised, and rebuilding from clean environments. Prevention measures include always using npm ci in CI pipelines, disabling postinstall scripts with --ignore-scripts, pinning exact dependency versions, enabling npm audit, using dependency scanning tools like Socket or Snyk, and enabling 2FA with auth-and-writes on npm accounts.

The Axios Supply Chain Attack: What DevOps Teams Need to Know

Bobby Iliev

From X:
do this to protect yourself against supply chain attacks:
<pre><code>
$ cat ~/.npmrc

min-release-age=7

$ cat ~/.config/uv/uv.toml

exclude-newer = &quot;7 days&quot;

</code></pre>

thats why I always push package-lock.json and do <code>npm ci </code> in pipelines! i’m just proud of myself 😁

Really Good Explanation for beginners like me 😄

npm install really said: install dependencies + optional malware

All of this just goes to show that you should never update any software immediately after it is released, except for recommended security patches.