Global Impact of an Axios Supply Chain Attack

Summary: Palo Alto Networks describes a supply chain attack on Axios that had an impact across multiple sectors in the United States, Europe, the Middle East, and Oceania.

Unit 42 details a global supply chain attack that affected multiple sectors through Axios, a widely used JavaScript library for HTTP communications. The breach began with the theft of the maintainer’s npm account, which allowed publishing malicious versions v1.14.1 and v0.30.4.

These updates included plain-crypto-js@4.2.1 as an hidden dependency. According to the analysis, this component acted as a remote access trojan (RAT) with reconnaissance and persistent installation capabilities on Windows, macOS, and Linux systems, significantly expanding the potential damage beyond the initial download moment.

The case illustrates how a compromise in a widely adopted package can turn into a cross-sector vector for organizations of different geographies, even when the malicious change arrives disguised as a legitimate update.

Key facts

Axios is a widely used JavaScript library for HTTP communications in both client and server.
The attacker published the compromised versions v1.14.1 and v0.30.4, introducing plain-crypto-js@4.2.1 as a hidden dependency.
plain-crypto-js acted as a remote access trojan (RAT) with reconnaissance and persistence capabilities on Windows, macOS, and Linux systems.

Why it matters

The attack demonstrates that a single compromised account in the dependency ecosystem can scale to a global issue with immediate impacts on development, operations, and security.

Structured details

Industry: cybersecurity
Source type: media
Claim status: confirmed
Verification: claimed_by_source
Entities: Axios, plain-crypto-js@4.2.1, Node.js, setup.js, sfrclak[.]com:8000, Library/Caches/com.apple.act.mond, mach-o binary

Source: https://unit42.paloaltonetworks.com/axios-supply-chain-attack/

Published on 04/01/2026