On March 31, 2026, attackers compromised the npm account of Axios’s lead maintainer and published two malicious versions (1.14.1 and 0.30.4) of the HTTP client library used by over 100 million projects weekly. The poisoned packages silently installed a cross-platform Remote Access Trojan (RAT) via a hidden dependency called plain-crypto-js. The attack lasted approximately 2–3 hours before npm removed the packages. This happened on the same day that Claude Code’s source code leaked — and that leak revealed Axios as one of Claude Code’s direct dependencies.
March 31, 2026 was a historically bad day for npm security — and an even worse day for Anthropic. While the internet was dissecting the Claude Code source code leak, a separate and far more dangerous event was unfolding in the same ecosystem: a supply chain attack on Axios, the most popular HTTP client library in JavaScript, with approximately 100 million weekly downloads.
The timing is not a coincidence that developers should ignore. The leaked Claude Code codebase explicitly lists Axios as a dependency. Community researchers flagged this within hours, noting that anyone who had installed Claude Code during the attack window could have been affected by both incidents simultaneously — their AI coding tool’s architecture exposed, and a trojan potentially running on their machine.
This article breaks down exactly how the attack worked, why it matters for anyone building with AI agents or JavaScript-based tools, and what the collision of these two events reveals about the fragility of the modern software supply chain.
What happened and how did the attack work?
The attack followed a precise, multi-stage execution that security researchers at StepSecurity, Socket, Snyk, Wiz, and Huntress have now fully documented. Here is the verified timeline:
| Time (UTC) | Event |
|---|---|
| Mar 30, ~06:00 | Attacker publishes [email protected] — a clean “decoy” package with no malicious code, establishing brief registry history |
| Mar 30, 23:59 | Attacker publishes [email protected] — the version containing the RAT dropper payload |
| Mar 31, 00:05 | Socket’s automated malware detection flags the package within 6 minutes |
| Mar 31, 00:21 | Attacker publishes [email protected] using compromised jasonsaayman npm account — the 1.x branch is poisoned |
| Mar 31, 01:00 | Attacker publishes [email protected] — the 0.x branch is also poisoned. Both major release lines now compromised |
| Mar 31, ~02:00 | Huntress SOC detects compromised endpoints calling C2 server — over an hour before the first public alarm |
| Mar 31, ~02:56 | Socket/Feross publishes first public warning on X |
| Mar 31, ~03:15 | npm removes malicious versions. Total exposure window: ~2–3 hours |
The technical sophistication was notable. The attacker did not modify any Axios source code directly — instead, they added a single new dependency ([email protected]) to the package.json. When a developer or CI pipeline ran npm install, npm resolved the dependency tree, pulled the malicious package, and automatically executed its postinstall hook: a script called setup.js.
Within two seconds of installation — before npm had even finished resolving the rest of the dependency tree — the malware was already calling the attacker’s command-and-control server at sfrclak.com:8000.
What did the malware actually do?
The setup.js script acted as a cross-platform RAT dropper, targeting macOS, Windows, and Linux simultaneously. Here’s the execution chain:
The most dangerous design detail was the anti-forensic self-deletion. After execution, the malware deleted setup.js and replaced its own package.json with a completely clean version. Post-infection inspection of node_modules/plain-crypto-js/ would reveal nothing — no malicious script, no suspicious dependencies, no postinstall hook. Running npm audit after the fact would show a clean bill of health on a compromised machine.
If you ran npm install between 00:21 and 03:15 UTC on March 31, 2026 in any project that depends on Axios (directly or transitively): search your lockfiles for [email protected], [email protected], or plain-crypto-js. If found, treat the machine as fully compromised — rotate all credentials, API keys, SSH keys, and tokens. Downgrade to [email protected] or [email protected].
How did the attacker bypass 2FA and CI/CD protections?
This is the question that keeps security engineers up at night. The compromised maintainer, jasonsaayman, stated in GitHub issue #10604 that he had two-factor authentication enabled on “practically everything.” The attack bypassed this because the attacker obtained a long-lived classic npm access token — a credential that exists independently of 2FA.
On the 1.x branch, Axios had OIDC Trusted Publishing configured through GitHub Actions — a modern, more secure publishing method. However, a critical misconfiguration made it irrelevant: the publish workflow still passed NPM_TOKEN as an environment variable alongside the OIDC credentials. When both are present, npm uses the token. This meant the long-lived token was effectively the authentication method for all publishes, regardless of the OIDC setup.
The attacker didn’t need to breach GitHub, bypass CI/CD pipelines, or crack 2FA. They needed one token — and tokens don’t require second-factor verification. Once they had it, they published directly via the npm CLI, completely bypassing the project’s GitHub Actions pipeline.
# How to check if you're affected:
# 1. Search lockfiles for compromised versions
grep -r "[email protected]\|[email protected]\|plain-crypto-js" package-lock.json yarn.lock
# 2. Check node_modules directly
ls node_modules/plain-crypto-js 2>/dev/null && echo "⚠️ COMPROMISED" || echo "✅ Clean"
# 3. Block C2 domain at firewall level
# Add to your blocklist: sfrclak.com
# 4. Pin to safe version
npm install [email protected] --save-exact
What is the connection to the Claude Code source leak?
The Claude Code source code leak and the Axios attack happened on the same day — and they are connected through a shared dependency.
Community researchers analyzing the leaked Claude Code codebase immediately noticed that Axios is listed as a direct dependency of Claude Code. Multiple Hacker News commenters and security researchers flagged this within hours of the leak: a tool used by hundreds of thousands of developers to write production code depends on a library that, for approximately three hours that same morning, was distributing a remote access trojan.
There is no evidence that the two events are causally related — the Axios compromise appears to be an independent supply chain attack by an unknown threat actor (potentially linked to the “TeamPCP” campaign). However, the timing creates a compound risk scenario:
Any developer who updated their Claude Code installation (or any Node.js project with an Axios dependency) during the 00:21–03:15 UTC window on March 31, 2026 could have pulled the compromised Axios version. The RAT would have had access to the same machine where the developer writes code, stores SSH keys, and manages API tokens — including Anthropic API keys used to authenticate Claude Code sessions.
As one VentureBeat analysis noted, the coincidence amplifies the security risk of the source leak: now that attackers know exactly how Claude Code’s authentication and permission systems work (from the leaked source), and could potentially have harvested developer credentials (from the Axios RAT), the attack surface for targeted exploitation is significantly wider.
AI coding tools like Claude Code, Cursor, and GitHub Copilot run in developer environments with access to the same credentials, keys, and code repositories as the developer. A supply chain attack on any dependency of these tools inherits that access. The Axios incident demonstrates that the security of your AI coding assistant is only as strong as its weakest transitive dependency.
How big was the blast radius?
The numbers are sobering. Axios receives approximately 100 million weekly downloads on npm and is present in an estimated 80% of cloud and code environments, according to Wiz’s analysis. Even a 2–3 hour window for a package with that reach creates enormous exposure.
Huntress’s security operations center detected and confirmed 135 compromised endpoints across all operating systems contacting the attacker’s C2 infrastructure during the exposure window — and that’s just within their partner base. Wiz reported observing execution in 3% of affected environments, meaning the RAT successfully ran on roughly 1 in 33 systems that pulled the compromised version.
The attack propagated transitively, meaning even projects that don’t directly list Axios as a dependency could be affected if any of their dependencies depend on Axios. Huntress found the malicious package nested inside a WordPress module at a path three levels deep in node_modules — confirming that the supply chain infection reached far beyond projects that explicitly import Axios.
StepSecurity described this as “among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package” — comparable in scale to the 2021 ua-parser-js compromise and the 2018 event-stream incident.
What defenses would have prevented this?
The Axios attack exploited several common weaknesses in how the JavaScript ecosystem handles package publishing and installation. Every failure point has a known mitigation:
| Vulnerability | Mitigation | Implementation |
|---|---|---|
Floating version ranges (^1.14.0) |
Pin exact versions | npm install [email protected] --save-exact |
npm install ignores lockfile |
Use npm ci in CI/CD |
Respects lockfile exactly, rejects mismatches |
| Postinstall hooks run automatically | Disable lifecycle scripts | npm install --ignore-scripts or use pnpm (disabled by default) |
| Long-lived npm access tokens | Short-lived, scoped tokens | Rotate regularly, use automation tokens with publish scope only |
| No cooldown on new package versions | Package release age policy | Reject packages published within 72 hours in CI/CD |
| OIDC + legacy token coexistence | Remove legacy tokens when OIDC is configured | Audit which CI/CD systems have npm publish rights |
The single most effective defense would have been pnpm instead of npm. pnpm disables lifecycle scripts (including postinstall) by default for all packages except those explicitly allowlisted. This would have blocked the RAT dropper from executing even if the malicious package had been installed — the payload simply wouldn’t have run.
# Add to your project's .npmrc file:
# Disable all lifecycle scripts (blocks postinstall RAT droppers)
ignore-scripts=true
# Require exact versions (prevents auto-upgrade to malicious releases)
save-exact=true
# Enforce lockfile in CI (prevents npm install from resolving new versions)
# Use: npm ci (not npm install) in all pipelines
What does this mean for the AI development ecosystem?
The collision of the Claude Code leak and the Axios attack on the same day crystallizes a risk that the AI industry has been ignoring: AI tools inherit every vulnerability of their software supply chain.
Claude Code is built with React, Ink, Bun, and dozens of npm packages including Axios. GitHub Copilot runs inside VS Code with its own dependency tree. Cursor ships as an Electron app with bundled Node.js modules. Every one of these tools runs with the developer’s permissions — access to source code, environment variables, API keys, SSH keys, and cloud credentials.
When a supply chain attack hits a dependency of an AI coding tool, it doesn’t just compromise the tool — it compromises the development environment of every user. For a tool like Claude Code, which Anthropic reports has contributed to over $1 billion in ARR, the potential blast radius includes the most sensitive codebases at the companies that depend on it.
This is not a theoretical concern. The Axios attack demonstrated a working kill chain: compromise a widely-used dependency → inject a RAT that harvests credentials → use those credentials to access production systems. The only thing that limited the damage was speed of detection — Socket flagged the malicious package within 6 minutes, and the compromised versions were live for less than 3 hours. A more patient attacker, or one targeting a less-monitored dependency, could maintain access for days or weeks.
For developers building machine learning pipelines, RAG systems, or any AI-powered application: audit your dependencies today. The most dangerous vulnerability in your AI stack isn’t in the model — it’s in package.json.
FAQ
Am I affected if I use Axios but didn’t update on March 31?
If you did not run npm install, yarn install, or any package installation command between 00:21 and 03:15 UTC on March 31, 2026, you are almost certainly not affected. The malicious versions (1.14.1 and 0.30.4) have been removed from npm. If your lockfile pins to any version other than these two, you are safe. Check with: grep -r "1.14.1\|0.30.4" package-lock.json
Does this affect Claude Code users?
Claude Code uses Axios as a dependency, confirmed by the leaked source code. However, Claude Code is distributed as a bundled npm package — meaning its dependencies are typically resolved and frozen at build time by Anthropic, not at install time by the user. Unless you installed or updated Claude Code during the attack window and the bundle resolved to the compromised Axios version, you are likely not directly affected. Anthropic has not issued a public statement on this specific overlap.
How can I tell if the malware ran on my machine?
The malware deletes itself after execution, making post-infection detection difficult. Check for outbound connections to sfrclak.com:8000 in your network logs or firewall records. On macOS/Linux, review ~/.bash_history and process logs for unexpected activity during the attack window. If the compromised package was installed, assume full compromise and rotate all credentials regardless of whether you can confirm execution.
What is a supply chain attack in software?
A supply chain attack compromises a trusted component in the software build process — not your application directly, but a library your application depends on. By poisoning a building block that thousands of projects trust, the attacker reaches every downstream user automatically. The Axios attack is analogous to contaminating a popular ingredient used by many food manufacturers: the manufacturers didn’t change their recipe, but the ingredient itself was poisoned at the source.
Would using pnpm have prevented this attack?
Yes. pnpm disables lifecycle scripts (including postinstall hooks) by default for all packages except those explicitly allowlisted. The Axios attack relied entirely on a postinstall script in the malicious dependency to execute the RAT dropper. With pnpm’s default configuration, the malicious package would have been installed but the payload would never have executed.
Is there any connection between the Axios attack and the Claude Code leak?
No causal connection has been established. The two events appear to be independent. The Axios attack was executed by an unknown threat actor (potentially linked to the “TeamPCP” campaign), while the Claude Code leak was an accidental source map publication by Anthropic. However, the timing creates a compound risk: the leaked source reveals Claude Code’s dependencies (including Axios), and the Axios attack compromised that exact dependency on the same day.
Sources & Further Reading
- Kurmi, A. (2026, March 31). Axios compromised on npm — malicious versions drop remote access trojan. StepSecurity. https://www.stepsecurity.io
- Socket Research Team. (2026, March 31). Supply chain attack on Axios pulls malicious dependency from npm. Socket. https://socket.dev
- Snyk Security Team. (2026, March 31). Axios npm package compromised: supply chain attack delivers cross-platform RAT. Snyk. https://snyk.io
- Read, B., Cohen, A., Ramati, H., & Bar, M. (2026, March 31). Axios npm distribution compromised in supply chain attack. Wiz Blog. https://www.wiz.io
- Huntress SOC. (2026, March 31). Supply-chain compromise of Axios npm package. Huntress. https://www.huntress.com
- Lakshmanan, R. (2026, March 31). Axios supply chain attack pushes cross-platform RAT via compromised npm account. The Hacker News. https://thehackernews.com
- SocRadar. (2026, March 31). Axios npm hijack 2026: Everything you need to know. https://socradar.io
- Malwarebytes Labs. (2026, March 31). Axios supply chain attack chops away at npm trust. Malwarebytes. https://www.malwarebytes.com
