On March 31, 2026, Axios—the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly npm downloads and a presence in roughly 80% of cloud environments—was compromised via a hijacked maintainer account. Two malicious versions (1.14.1 and 0.30.4) delivered a cross-platform remote access trojan (RAT) that harvested credentials, SSH keys, cloud tokens, and API secrets from every machine where they were installed. The attack was characterized by security researchers as espionage-grade, not financially motivated. It is the fifth major open-source supply chain attack in March 2026 alone. This article examines the technical details, the downstream enterprise impact, and why self-hosted platforms with server-side credential management—like DreamFactory, a secure, self-hosted enterprise data access platform that provides governed API access to any data source, connecting enterprise applications and on-prem LLMs with role-based access and identity passthrough—are architecturally resilient against this entire class of attack.
Axios is not just another npm package. It is foundational infrastructure: embedded in frontend frameworks, backend services, mobile applications, and automated build pipelines across the enterprise landscape. When Axios is compromised, the blast radius spans nearly every layer of a modern software organization.
| Timestamp (UTC) | Event |
|---|---|
| March 30, 05:57 | plain-crypto-js@4.2.0 published by attacker account (nrwise@proton.me)—a clean decoy establishing npm publishing history |
| March 30, 23:59 | plain-crypto-js@4.2.1 published with malicious postinstall hook added |
| March 31, 00:21 | axios@1.14.1 published via compromised maintainer account (email changed to attacker-controlled ProtonMail address) |
| March 31, 01:00 | axios@0.30.4 published—39 minutes after 1.14.1, covering both active release branches |
| March 31, ~03:15 | npm unpublishes both versions after approximately 2.5–3 hours live |
The attacker compromised the npm account of jasonsaayman, Axios's primary maintainer, and changed the registered email to an attacker-controlled ProtonMail address to lock out the rightful owner. A critical forensic indicator: legitimate Axios releases use GitHub Actions with npm's OIDC Trusted Publisher mechanism, creating cryptographic binding between the published package and a verified CI/CD workflow. The malicious versions showed no trusted publisher, no gitHead, no corresponding GitHub commit or tag—they were published manually using a stolen classic npm access token.
Collaborator DigitalBrainJS noted in the GitHub issue: “Since access to git and the npm repository is compromised... I can’t revoke his access.”
The malicious dependency plain-crypto-js@4.2.1 was never imported anywhere in the Axios source code. Its sole purpose was to execute a postinstall script that triggered automatically during npm install:
setup.js file (XOR cipher with key “OrDeR_7077” plus base64 encoding) decoded and contacted C2 server sfrclak.com:8000 within 2 seconds of install start—before npm even finished resolving the dependency tree/Library/Caches/com.apple.act.mond (disguised as an Apple system cache file)%PROGRAMDATA%\wt.exe (disguised as Windows Terminal) with registry persistence via MicrosoftUpdate Run key/tmp/ld.pypackage.json, and renamed a pre-staged clean stub in its place. Post-infection, npm list showed no trace of the compromiseAll three platform variants functioned as lightweight RATs with consistent capabilities:
Security researchers from multiple firms characterized the operation as espionage or advanced persistent threat (APT) activity. The absence of cryptocurrency mining, ransomware, or financial fraud components—combined with the operational sophistication of 18-hour pre-staging, multi-platform payloads, and forensic erasure—pointed to intelligence gathering, credential harvesting, and preparation for lateral movement into production environments.
The Axios attack was not targeting Axios itself. It was targeting the environments where Axios runs—and the credentials those environments contain.
Developer laptops and workstations typically hold SSH keys, AWS/GCP/Azure credentials, database connection strings, API keys in .env files, Git credentials, and cloud CLI configurations. A single npm install on a compromised package delivers all of these to an attacker.
Build servers running npm install or npm ci automatically resolve and install dependencies—including malicious ones. These environments typically hold deployment credentials, production database passwords, cloud provider tokens, container registry access, and every secret injected as an environment variable. The Axios RAT's postinstall hook executed before the build even started.
Docker images built without version pinning during the 2.5-hour exposure window baked the malicious package into container layers. These images may continue to be deployed from registries long after the npm removal, creating a persistent infection vector.
The common thread: every one of these environments stores credentials in places accessible to any code running in the same process—environment variables, config files on the local filesystem, credential helper caches. The Axios RAT knew exactly where to look because that’s where everyone puts them.
The Axios attack exploits a structural weakness that no amount of npm hardening can fully eliminate: if credentials are stored on machines that install packages from public registries, those credentials are one compromised dependency away from exfiltration.
This is not an Axios problem. It is not an npm problem. It is an architecture problem.
Consider the attack surface of a typical enterprise API integration:
.env files on developer machinesEvery credential stored this way is vulnerable to any process running on the same machine—including code executed by postinstall scripts from transitive npm dependencies that no developer explicitly chose to install.
DreamFactory’s architecture is built around a principle that directly addresses this vulnerability class: credentials are stored server-side in encrypted storage on your infrastructure, never on endpoint machines, never in environment variables, and never accessible through public package registry dependency chains.
DreamFactory runs on your infrastructure—on-premises, private cloud, or your own VPC. Database passwords, API keys, and service credentials are stored encrypted in DreamFactory’s system database, with optional integration with AWS KMS and Azure Key Vault for enterprise key management. A compromised npm package on a developer’s laptop cannot access credentials that exist only inside a hardened server environment.
DreamFactory is deployed as a self-contained application—not a library installed via npm install or pip install into a shared development environment. The credential management layer has zero dependency on public package registries. There is no transitive dependency chain through which an attacker can inject code into the path between credential storage and credential usage.
When an application or AI agent accesses data through DreamFactory, it authenticates with a scoped DreamFactory API key or session token. DreamFactory then authenticates with the underlying data source using credentials that exist only on the server. The client application—and everything on the client machine, including any compromised npm packages—never sees the database password, cloud API key, or service account token.
If a developer’s machine is compromised, the attacker gets a DreamFactory API key scoped to specific services, endpoints, and fields. They do not get the underlying database superuser password or the AWS root credentials.
DreamFactory enforces role-based access control at the service, endpoint, table, and field levels. Combined with enterprise identity integration (Azure AD/Entra ID, Okta, LDAP, SAML), permissions are governed by your existing identity infrastructure—not by static API keys scattered across team members’ machines. When an employee leaves or changes roles, their API access updates automatically.
With DreamFactory’s MCP Server (introduced in v7.4.0), AI agents and LLMs access enterprise data through DreamFactory’s governed API layer. The AI agent authenticates with DreamFactory. DreamFactory authenticates with the data source. Provider credentials never leave the server, never appear in agent configurations, and never transit through environments that install packages from public registries.
npm list axios in every project, CI/CD runner, and Docker imagels node_modules/plain-crypto-js—if this directory exists, the dropper executed/Library/Caches/com.apple.act.mond%PROGRAMDATA%\wt.exe/tmp/ld.pysfrclak.com or 142.11.206.73axios@1.14.0 (or 0.30.3 for 0.x users){
"overrides": { "axios": "1.14.0" },
"resolutions": { "axios": "1.14.0" }
}npm ci --ignore-scripts for all automated buildssfrclak.com and 142.11.206.73 to firewall blocklists and DNS sinkholes.env files, not in CI/CD environment variables, not on developer laptopsmin-release-age=7 in .npmrc (supported in npm, pnpm, bun, yarn, and uv) to create a buffer window for security scanners to detect anomalies before your systems pull new versionsfetch() support. For use cases that don’t require Axios’s interceptor patterns or upload progress tracking, eliminating the dependency eliminates the attack surfaceThe Axios compromise did not occur in isolation. It is the fifth major open-source supply chain attack in a single month:
| Date | Target | Ecosystem | Mechanism |
|---|---|---|---|
| March 19 | Trivy (Aqua Security) | GitHub Actions / Docker | CI/CD credential theft via compromised scanner |
| March 21 | Checkmarx AST | GitHub Actions | Identical credential stealer pattern |
| March 24 | LiteLLM | PyPI | Credential harvester via .pth file injection |
| March 27 | Telnyx | PyPI | Compromised package with credential theft |
| March 31 | Axios | npm | Cross-platform RAT via hijacked maintainer account |
The pattern is unmistakable: attackers are systematically targeting high-download-count packages in public registries to harvest credentials from enterprise environments. Whether it is a Python .pth file or an npm postinstall script, the fundamental exploit is the same: code from a public registry runs with full access to every credential on the machine where it is installed.
The only durable defense is architectural: ensure that the credentials worth stealing do not exist on machines that run code from public registries.
DreamFactory was not designed as a response to npm supply chain attacks. But its architecture—self-hosted deployment, server-side encrypted credential storage, zero reliance on public package registries for credential handling, granular RBAC, and enterprise identity integration—directly addresses the structural weakness that every attack in March 2026 exploited.
With 50,000+ production instances processing over 2 billion daily API calls across healthcare, financial services, government, and manufacturing, DreamFactory provides a proven path to credential isolation. Applications and AI agents authenticate with DreamFactory. DreamFactory authenticates with data sources. The underlying credentials never leave the server.
The Axios attack is a signal: the open-source supply chain is under sustained, sophisticated assault. The question for enterprise teams is not whether their dependencies will be targeted, but whether their architecture limits the damage when it happens. Server-side credential management is no longer a best practice. It is a baseline requirement.
On March 31, 2026, an attacker hijacked the npm account of Axios’s primary maintainer (jasonsaayman) and published two malicious versions (1.14.1 and 0.30.4) that included a hidden dependency called plain-crypto-js@4.2.1. This dependency’s postinstall script executed automatically during npm install, downloading and running a cross-platform remote access trojan (RAT) that harvested credentials, performed system reconnaissance, and established persistent backdoor access. The malicious versions were live for approximately 2.5–3 hours before npm removed them, but 3% of affected environments showed observed execution of the malware.
DreamFactory is a self-hosted platform providing governed API access to any data source for enterprise apps and local LLMs. Because credentials are stored encrypted server-side—in DreamFactory’s own system database integrated with AWS KMS or Azure Key Vault—they never appear as environment variables, .env files, or configuration files on developer machines, CI/CD runners, or any endpoint that installs packages from public registries. Even if a developer’s machine is fully compromised, the attacker obtains only a scoped DreamFactory API key, not the underlying database passwords or cloud provider credentials.
The Axios attack has not been formally attributed to TeamPCP (the group behind the Trivy, Checkmarx, and LiteLLM attacks). However, it is the fifth major open-source supply chain attack in March 2026. The Axios malware showed hallmarks of espionage-grade operations—multi-platform RATs, 18-hour pre-staging, forensic self-destruction—distinct from the credential-harvesting focus of the TeamPCP campaign. Whether related or independent, the attacks demonstrate that multiple sophisticated threat actors are systematically targeting high-value open-source packages.
The compromised versions have been removed from npm, and clean versions (1.14.0, 0.30.3) remain safe. Modern Node.js includes native fetch() support, which eliminates the need for Axios in many use cases. However, Axios provides capabilities not available in native fetch (request/response interceptors, upload progress events, automatic JSON transformation). The decision should be based on whether you need those features, combined with appropriate supply chain hardening: pin versions, use --ignore-scripts in CI/CD, and configure minimum release age delays.
Most major JavaScript package managers now support a setting that refuses to install packages published less than a specified number of days ago: min-release-age=7 (npm, in days), minimum-release-age=10080 (pnpm, in minutes), minimumReleaseAge = 604800 (bun, in seconds), and npmMinimalAgeGate: "3d" (yarn berry). This creates a buffer window during which security researchers and automated scanners can detect compromised releases before they reach your environments. It would have prevented exposure to the Axios attack entirely.
Check for the malicious dependency: if node_modules/plain-crypto-js exists in any project, the dropper executed. Search for RAT artifacts on macOS (/Library/Caches/com.apple.act.mond), Windows (%PROGRAMDATA%\wt.exe), and Linux (/tmp/ld.py). Audit network logs for connections to sfrclak.com or IP 142.11.206.73. If any indicators are found, assume full system compromise: rebuild from known-good state and rotate all credentials—npm tokens, SSH keys, cloud provider credentials, database passwords, and CI/CD secrets.