Axios npm Supply Chain Attack: RAT Deployed via 100M-Download Package

On March 30, 2026, attackers hijacked the npm account of the primary maintainer of Axios — the most popular JavaScript HTTP client with over 100 million weekly downloads — and published two malicious versions that silently dropped a cross-platform remote access trojan (RAT) onto developer machines. For Saudi financial institutions running Node.js-based digital banking platforms, payment gateways, and internal tools, this incident is a direct wake-up call about software supply chain risk.

How the Axios Supply Chain Attack Unfolded

Security researchers at StepSecurity detected that two rogue versions — axios@1.14.1 and axios@0.30.4 — were published to npm within 39 minutes of each other. The attacker compromised the jasonsaayman npm account (the project's sole publishing maintainer), changed the registered email to an attacker-controlled ProtonMail address (ifstap@proton.me), and pushed the poisoned releases before anyone noticed. Both malicious versions injected a new dependency called plain-crypto-js@4.2.1, a package that was never part of the legitimate Axios codebase. Its only purpose: execute a postinstall script that acts as a RAT dropper targeting Windows, macOS, and Linux simultaneously.

Technical Breakdown: Self-Destructing RAT Dropper

The attack demonstrated exceptional operational sophistication. The dropper script (setup.js) downloaded platform-specific second-stage payloads from a command-and-control server at sfrclak.com:8000, executed them, then self-cleaned by deleting itself and restoring a legitimate package.json. The second-stage payloads functioned as lightweight RATs that beaconed to the C2 server every 60 seconds, transmitting full system inventory — hostname, OS version, user privileges, running processes — and awaiting further commands. Every artifact was designed to self-destruct, making forensic detection significantly harder. The malicious versions were live for approximately 2–3 hours before npm removed them, but automated CI/CD pipelines with loose version pinning could have pulled the compromised packages during that window.

Why Saudi Financial Institutions Are Especially Exposed

Saudi banks, fintech companies, insurance firms, and payment processors increasingly rely on JavaScript and Node.js for customer-facing applications, API gateways, and internal microservices. Axios is ubiquitous in these stacks — it handles HTTP requests for everything from mobile banking backends to third-party API integrations with SADAD, Mada, and open banking platforms. A compromised developer workstation with access to production credentials, cloud provider keys, or database connection strings represents a catastrophic breach scenario. Under the SAMA Cyber Security Framework (CSCC), Domain 3 (Cybersecurity Operations and Technology) explicitly requires organizations to manage third-party and supply chain risks. NCA's Essential Cybersecurity Controls (ECC-1:2018, Control 2-4-2) mandate software integrity verification throughout the development lifecycle. Financial entities that pulled the compromised Axios versions into their build pipelines — even briefly — must treat this as a potential incident requiring formal investigation under SAMA's incident reporting requirements.

The Broader Supply Chain Threat Landscape in 2026

This is not an isolated incident. The Axios compromise follows the GlassWorm campaign that has infected over 72 Open VSX extensions with 9 million combined installs since January 2026, targeting developer environments with credential stealers and cryptocurrency drainers. Research from Rapid7 confirms that the median time between vulnerability disclosure and active exploitation has dropped from 8.5 days to just 5.0 days. Attackers are systematically targeting the software supply chain because a single compromised package can cascade across thousands of organizations. For Saudi regulated entities, these events underscore a hard truth: your security posture is only as strong as the weakest dependency in your software stack.

Immediate Actions and Recommendations

1. Audit your dependency tree now. Run npm ls axios across all projects and CI/CD pipelines. If axios@1.14.1 or axios@0.30.4 was ever resolved, treat the build environment and any associated credentials as compromised. Rotate all secrets, API keys, and tokens that were accessible from affected machines.
2. Enforce version pinning and lockfile integrity. Use exact version pinning in package.json (no caret ^ or tilde ~ ranges for critical dependencies) and verify package-lock.json integrity in CI pipelines. Enable npm's --ignore-scripts flag by default and whitelist postinstall scripts explicitly.
3. Deploy a private registry or proxy. Tools like Artifactory, Verdaccio, or npm Enterprise allow you to mirror approved packages internally, scan for malicious code before consumption, and block unapproved versions from reaching developer machines.
4. Implement Software Composition Analysis (SCA). Integrate SCA tools such as Snyk, Socket.dev, or Sonatype Nexus into your CI/CD pipeline to detect malicious packages, known vulnerabilities, and suspicious dependency changes before they reach production.
5. Enable multi-factor authentication for all package registries. The Axios attack succeeded because a single maintainer account lacked adequate protection. Ensure all npm, PyPI, and other registry accounts used by your organization enforce MFA and are monitored for unauthorized email or credential changes.
6. Review SAMA CSCC Domain 3 compliance. Verify that your third-party risk management program explicitly covers open-source software dependencies, not just commercial vendors. Document your supply chain security controls and update your risk register to reflect this attack vector.

Conclusion

The Axios supply chain compromise is a textbook example of how a single hijacked maintainer account can weaponize a trusted package against millions of downstream consumers. Saudi financial institutions cannot afford to treat open-source dependency management as an afterthought — SAMA and NCA frameworks demand proactive supply chain security, and attackers are clearly targeting the exact tools and libraries that power modern banking infrastructure. The organizations that survive these threats are those that build security into every stage of their software development lifecycle, from dependency resolution to production deployment.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a supply chain security review tailored to your development environment.