Which axios versions were compromised in the March 2026 attack?

axios@1.14.1 and axios@0.30.4 were compromised. The attack was delivered via a malicious transitive dependency, plain-crypto-js@4.2.1, which contained a postinstall hook that triggered a 2-stage RAT deployment. Pin to axios@1.8.4 or earlier until the axios team publishes a verified clean release.

How did the axios RAT evade detection?

The first-stage payload decoded and executed entirely in memory, writing nothing to disk. This bypasses file-system-based antivirus and most endpoint detection tools. The second stage was fetched from a C2 server (sfrclak.com) only after the host OS was identified, delivering a platform-specific binary for iOS, Windows, or Linux.

Why are AI agent stacks more vulnerable to supply chain attacks?

Agent frameworks typically use loose version pins (caret ranges), meaning a fresh npm install can silently pull compromised transitive dependencies. Code generation agents that run npm install as part of their workflow are especially exposed because postinstall hooks execute on the agent host, not in a sandboxed environment. Firmis supply chain scanning flags compromised packages and postinstall hook abuse before execution.

Back to Journal

Threat IntelligenceApril 1, 2026·7 min read

The Axios Supply Chain Attack: Anatomy of an npm RAT

On March 30, compromised versions of axios hit npm. A 2-layer obfuscation chain deployed platform-specific RATs to iOS, Windows, and Linux. Here is the full breakdown.

TL;DR

On March 30, 2026, attackers compromised axios on npm. If your agent stack runs npm install, this is the attack pattern that targets you.
A 2-layer obfuscation chain deployed platform-specific RATs for iOS, Windows, and Linux. The first stage ran entirely in memory, bypassing endpoint detection.
68% of confirmed threats across repos Firmis has scanned are supply chain. This is the most common way agent stacks get compromised.
Firmis supply chain rules catch postinstall hook abuse and compromised packages before they execute on your machine.

On March 30, 2026, two versions of axios landed on npm: v1.14.1 and v0.30.4. Both looked legitimate. Both were carrying a remote access trojan. The attack was quiet, technically layered, and designed to survive forensic analysis. This is a full breakdown of how it worked.

What Happened

Compromised axios versions

Platforms targeted

Obfuscation layers

Mar 30

Date of compromise

The attack did not modify axios source code directly. Instead, the compromised versions introduced a new transitive dependency: plain-crypto-js@4.2.1. That package contained a malicious postinstall hook that triggered silently on every npm install.

Active IOCs: Patch or Isolate Immediately

Affected packages: axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1
C2 domain: sfrclak.com
If any of these appear in your dependency tree, treat the host as compromised until proven otherwise.

Attack Flow: Step by Step

Dependency injection

Attacker publishes compromised axios versions that list plain-crypto-js@4.2.1 as a dependency. The package name implies cryptography tooling and raises no immediate flags.

postinstall hook fires

npm executes the postinstall script in plain-crypto-js automatically during install. No user interaction required. This is standard npm behavior abused as an execution primitive.

First-stage decode (in memory)

The hook decodes a first-stage loader entirely in memory. No file is written to disk at this point, defeating file-system-based detection and basic forensic tooling.

Second-stage fetch from C2

The loader identifies the host OS and fetches a platform-specific binary from sfrclak.com. iOS, Windows, and Linux each receive a tailored payload.

RAT installation and persistence

The RAT establishes persistence using native mechanisms: crontab on Linux, LaunchAgent plist on macOS, Registry Run keys on Windows. Anti-forensics routines attempt to erase execution traces.

The payload never touched disk in stage one. That alone bypasses most endpoint detection deployed in developer environments.

Why AI Agent Stacks Are Especially Exposed

Supply chain attacks against npm are not new. What has changed is the blast radius when they hit an AI agent stack. Agent frameworks such as LangChain, CrewAI, and Vercel AI SDK pin dependencies loosely, often with caret ranges. A single npm install in a freshly cloned agent repo can silently pull compromised transitive dependencies with no warning.

68%

Firmis findings from supply chain

Agent repos in sample

bolt.new supply chain vulns

In a Firmis scan of 56 agent repositories, 68% of confirmed threats were supply chain issues, not tool poisoning or prompt injection. If you run an agent stack with npm dependencies, supply chain is your most likely attack vector. Stale version pins are the primary entry point. An audit of bolt.new found 17 confirmed vulnerabilities, all tracing back to outdated Vite, Remix, Wrangler, and Vercel AI SDK pins, each of which had known CVEs at the time of scanning. A single npx firmis-cli init would have flagged every one before deployment.

Code Generation Agents: The Highest-Risk Case

Agents that run npm install as part of their workflow, such as code generation and scaffolding agents, execute postinstall hooks automatically. A compromised dependency in a generated project runs on the agent host, not in a sandbox. The RAT reaches the machine running the agent.

What Firmis Detects

Firmis supply chain rules flag this class of attack at three points in the chain, before a payload executes.

Dependency Audit

Flags known-compromised packages and transitive dependencies with postinstall hooks in agent config files and package-lock.json.

Hook Pattern Analysis

Static analysis of postinstall scripts detects network fetch patterns, base64 decode chains, and in-memory execution primitives characteristic of 2-stage loaders.

Runtime Monitor

Passive monitoring detects postinstall execution events and unexpected outbound connections during install, including attempts to reach known C2 infrastructure.

Scan your agent stack now

$ npx firmis-cli init

Indicators of Compromise

IOC Reference

Malicious packageplain-crypto-js@4.2.1

C2 domainsfrclak.com

Affected version 1axios@1.14.1

Affected version 2axios@0.30.4

Persistence (Linux)crontab entry injected post-install

Persistence (macOS)LaunchAgent plist in ~/Library/LaunchAgents

Persistence (Windows)HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Immediate Actions

Response Checklist

→Pin axios to v1.8.4 or earlier (last known-clean minor) until the official axios team publishes a verified clean release
→Audit your full dependency tree: npm ls plain-crypto-js to check for the compromised transitive dep
→Block sfrclak.com at your network perimeter and DNS resolver
→If plain-crypto-js@4.2.1 was installed, treat the host as compromised: rotate credentials, revoke tokens, check persistence mechanisms for your OS
→Run npx firmis-cli init on any agent repo to surface stale or flagged dependency pins before they ship

Supply chain attacks succeed because developers trust their package manager. The postinstall hook is code execution you agreed to when you ran npm install.

The axios incident follows a well-established template: popular package, compromised version, postinstall hook, in-memory decode, C2 fetch. The attack pattern is repeatable and the next target is already in someone's node_modules. Agent stacks that install dependencies at runtime are running this risk on every build.

Firmis supply chain detection covers this class of attack across any agent platform. One scan surfaces outdated pins, known-compromised packages, and postinstall hook patterns before they reach a production host.

References & Sources

[1]
npm advisory: compromised axios versions- axios@1.14.1 and axios@0.30.4 removed from registry
[2]
plain-crypto-js@4.2.1 malware analysis- postinstall hook with 2-stage in-memory RAT deployment
[3]
C2 infrastructure: sfrclak.com- Platform-specific binary serving for iOS, Windows, Linux
[4]
bolt.new dependency audit (Firmis scan)- 17 confirmed vulnerabilities from stale Vite, Remix, Wrangler, Vercel AI SDK pins
[5]
npm postinstall hook abuse patterns- Documented attack primitive in npm ecosystem
[6]
Firmis supply chain detection rules- Dependency audit + hook pattern analysis + runtime monitoring

PreviousAgent Harness Security: What Your Platform Ships vs What You Still Need

NextWhat Is Tool Poisoning? A Guide for Developers

Try It Now

Find out if your agent stack is safe

One command. 30 seconds. Free.

$npx firmis-cli init

Fix and Monitor included with Pro

View pricing