Axios Attack: How To Find Out If Your System Was Compromised

6 min read Coding

The Axios npm Package Was Just Hijacked — Here’s How to Check Your System Right Now

A hacker compromised a lead maintainer’s npm token and injected a remote access Trojan into Axios — one of JavaScript’s most popular libraries with over 100 million weekly downloads. Two versions were poisoned. The malware installs in 1.1 seconds and erases itself. Here’s what you need to do right now.

Check If You’re Affected

You might have Axios installed without knowing it. You’ve probably never typed npm install axios yourself — but if you’ve ever installed anything that depends on it, it’s on your machine. The average npm project pulls in hundreds of dependencies written by strangers, and Axios is one of the most common.

Two versions were compromised:

  • axios@1.14.1
  • axios@0.30.4

Both have since been removed from npm, but if you ran npm install during the exposure window, the damage may already be done.

Step 1: Check Your Axios Version

Open your terminal and run:

npm list axios

What this does: Lists every installed copy of Axios in your current project, including nested dependencies. If you see 1.14.1 or 0.30.4 in the output, you were exposed.

Step 2: Search Your Entire System

One project might be clean, but you likely have Axios in places you don’t expect. Run this to search everywhere:

find / -name "node_modules" -type d 2>/dev/null | while read dir; do
  if [ -f "$dir/axios/package.json" ]; then
    echo "$dir/axios: $(grep '"version"' "$dir/axios/package.json")"
  fi
done

What this does, line by line:

  • find / -name "node_modules" -type d — Searches your entire filesystem for every node_modules folder
  • 2>/dev/null — Hides permission errors so the output stays clean
  • The while loop checks each one for an Axios installation and prints its version

Step 3: Check for the RAT on Your Machine

The malware drops different files depending on your operating system. Check if any of these exist:

On macOS:

ls -la /Library/Caches/com.apple.act.mond

On Windows (PowerShell):

Test-Path "$env:PROGRAMDATA\wt.exe"

On Linux:

ls -la /tmp/ld.py

If any of those files exist, your machine is compromised. Don’t delete them yet — skip to the remediation section below.

Step 4: Check for C2 Server Communication

The malware phones home to a command and control server. Check if your machine has tried to reach it:

grep -r "142.11.206.73" /var/log/ 2>/dev/null

What this does: Searches your system logs for any connection attempts to the attacker’s server at 142.11.206.73. The domain sfrclak.com on port 8000 was used as the C2 endpoint.

If You’re Clean

If none of those checks turned up anything — no bad version, no RAT files, no C2 traffic — you’re likely fine. But take these preventive steps:

  1. Pin your Axios version to a known safe release — 1.14.0 for the 1.x branch or 0.30.3 for the 0.x branch
  2. Delete and reinstall node_modules in any project that might have pulled the bad version during the exposure window
  3. Block the C2 infrastructure at the network level if you manage a team or CI/CD environment — block 142.11.206.73 and sfrclak.com

If You’re Compromised

This is not a “delete the file and move on” situation. The RAT gave the attacker full access to your system. Treat it like a break-in.

Immediate Actions

  1. Disconnect the machine from the network — stop any ongoing data exfiltration
  2. Do not just delete the malware files — the attacker already had access, and you don’t know what they touched
  3. Rotate everything:
  4. npm tokens
  5. SSH keys
  6. Cloud provider credentials (AWS, GCP, Azure)
  7. CI/CD secrets and deploy keys
  8. API keys for every service
  9. Database credentials
  10. Any passwords stored in plaintext, .env files, or password managers that were unlocked
  11. Check git history for unauthorized commits — the attacker could have pushed code using your credentials
  12. Audit your package-lock.json and any feature branches for references to plain-crypto-js — that’s the malicious dependency that delivered the payload
  13. Rebuild the machine — a fresh OS install is the only way to be sure the system is clean

For Teams and CI/CD

  • Audit all builds that ran during the exposure window
  • Revoke and regenerate all shared secrets and tokens
  • Add --ignore-scripts to CI/CD npm install calls going forward — this prevents post-install scripts from executing automatically, which is exactly how this attack delivered its payload
  • Consider using a lockfile-only install (npm ci instead of npm install) to prevent unexpected version resolution

How This Attack Worked — The Short Version

Understanding the mechanism helps you spot similar attacks in the future.

The attacker compromised the npm access token of a lead Axios maintainer. With that token, they published two poisoned versions. But here’s the clever part — they never added malicious code to Axios itself.

Instead, they added a single new dependency to package.json: a package called plain-crypto-js. It looks innocent — an average code reviewer would assume it’s a crypto utility. But plain-crypto-js was never imported by any of Axios’s 86 source files. It existed solely to run its post-install script.

That post-install script — which runs automatically when you npm install — drops a file called setup.js. It looks like math, but it’s hiding two layers of obfuscation using XOR and reversed Base64. Once decoded, it detects your operating system, contacts the attacker’s command and control server, and downloads a remote access Trojan specific to your platform.

The whole thing takes 1.1 seconds. Then it cleans up — deletes setup.js, replaces the malicious package.json with a clean copy that was pre-staged 18 hours earlier, and leaves no trace.

Think of it like a supply chain attack on coffee. The attacker didn’t poison your cup — they poisoned the beans at the roaster. Every coffee shop that buys from that roaster serves poisoned coffee, and none of them know it.

Quick Reference

Item Details
Compromised versions axios@1.14.1, axios@0.30.4
Safe versions axios@1.14.0, axios@0.30.3
Malicious dependency plain-crypto-js@4.2.1
C2 server IP 142.11.206.73
C2 domain sfrclak.com:8000
macOS RAT location /Library/Caches/com.apple.act.mond
Windows RAT location %PROGRAMDATA%\wt.exe
Linux RAT location /tmp/ld.py
Check your version npm list axios
Prevent auto-scripts npm install --ignore-scripts
Lockfile-only install npm ci (instead of npm install)