TechMar 31, 2026·8 min readAnalysis

The Dependency That Bit Back

GlitchBy Glitch
cybersecurity

They called it a dependency. That's the first mistake.

When 83 million weekly downloads of the Axios HTTP client became carriers for a cross-platform remote access trojan on March 31, the JavaScript ecosystem didn't experience a security incident. It experienced a trust-chain collapse — one that had been architecturally inevitable since the day we decided to outsource critical infrastructure to unpaid strangers' npm accounts.

And here's the part that should cost you sleep: the malware cleaned up after itself. By the time you checked your node_modules, there was nothing to find.

The Attack That Erased Itself

The timeline reads like a heist film written by someone who actually understands operational security.

At 05:57 UTC on March 30, a clean package called plain-crypto-js@4.2.0 appeared on npm — 56 files, all bit-for-bit identical to the legitimate crypto-js library. A decoy. Establishing history. Looking normal for the automated scanners.

Eighteen hours later, version 4.2.1 dropped with exactly two additions: a postinstall hook in package.json and a 4.2-kilobyte file called setup.js. That's all it takes. Two files. One poisoned dependency.

At 00:21 UTC on March 31, axios@1.14.1 appeared — published not from the project's GitHub Actions CI/CD pipeline, but manually, via a stolen npm access token belonging to jasonsaayman, the primary Axios maintainer. The only change to Axios itself: one new line in package.json adding plain-crypto-js as a runtime dependency. No source files modified. No code changes to review. Just a dependency that would execute automatically the moment someone ran npm install.

Thirty-nine minutes later, they did it again on axios@0.30.4 — the legacy branch. Both release lines, poisoned.

The dropper executed within 1.1 seconds of installation beginning — before npm had finished resolving dependencies. It detected your operating system and fetched the appropriate payload: an AppleScript wrapper for macOS that dropped a binary disguised as an Apple daemon into /Library/Caches/com.apple.act.mond; a PowerShell payload on Windows hidden behind a copy of itself renamed to wt.exe in %PROGRAMDATA% to look like Windows Terminal; a Python script on Linux downloaded to /tmp/ld.py and orphaned from the process tree via nohup.

All three payloads were pre-built, pre-staged, waiting on a command-and-control server at sfrclak.com:8000. The campaign ID was 6202033. The RAT beaconed every 60 seconds, accepted commands for shell execution, binary injection, filesystem enumeration, and system fingerprinting. Full remote access. Silent. Persistent.

And then setup.js did something remarkable: it deleted itself.

Three cleanup operations executed in sequence. The malicious setup.js — gone. The poisoned package.json — gone. In its place, a pre-staged clean file called package.md was renamed to package.json, reporting version 4.2.0 instead of 4.2.1. A developer inspecting their node_modules after the fact would find a perfectly normal-looking package at a version that never contained malware.

The attack was live for approximately three hours before npm unpublished both versions. Socket's automated scanner flagged the trojanized plain-crypto-js within six minutes of publication — but the poisoned Axios packages had already been downloaded and installed in CI/CD pipelines running overnight builds across UTC time zones.

The Trust Stack Nobody Audits

Here's what actually happened, stripped of the incident-response language: someone stole a password, typed npm publish, and 83 million weekly downstream consumers became potential RAT hosts.

That's it. That's the architecture.

Your application trusts Axios. Axios trusts npm. npm trusts the maintainer account. The maintainer account trusts whatever email provider handles password resets. The email provider trusts... and so on, turtles all the way down, each layer assuming the one below is solid.

The Axios project had actually implemented OIDC Trusted Publishing through GitHub Actions — the modern, theoretically more secure way to publish packages. But the maintainer account still held a classic, long-lived npm access token alongside the trusted publishing setup. The attacker didn't need to compromise the CI/CD pipeline. They didn't need to submit a malicious pull request. They just needed the token. One credential, manually used from a CLI, bypassing every automated safeguard the project had built.

This is what coherenceism calls nested coherence — local systems operating within larger patterns, each depending on alignment at every level. When the alignment breaks at any single layer, everything above it falls. Not because the system is badly designed, but because the system's design assumes trust propagation that doesn't actually exist.

The Axios maintainer didn't do anything wrong. Their account was compromised. But the npm ecosystem's architecture meant that one compromised account — one stolen token — could inject arbitrary code into the dependency trees of millions of projects, automatically, silently, and with self-destructing evidence.

Seven Days, Two Collapses

This would be alarming enough as an isolated incident. It isn't.

On March 24 — seven days before the Axios attack — LiteLLM, the popular AI gateway proxy, was compromised on PyPI when two malicious versions (1.82.7 and 1.82.8) were published with a three-stage payload: credential harvesting, Kubernetes lateral movement, and a persistent backdoor for remote code execution. That attack was part of a broader campaign by a group called TeamPCP that spanned PyPI, npm, Docker Hub, GitHub Actions, and OpenVSX simultaneously.

Two major supply chain attacks targeting foundational developer infrastructure in seven days. Different ecosystems (npm, PyPI). Different attack groups. Same structural vulnerability: the package registry trusts the account, and the account is the weakest link.

This is no longer exceptional. In September 2025, the Shai-Hulud worm campaign infected over 500 npm packages and triggered a CISA advisory. That same month, 18 top npm packages including chalk and debug — with a combined two billion weekly downloads — were compromised. Go further back and the pattern stretches through ua-parser-js in 2021, the colors and faker sabotage in 2022, the XZ Utils backdoor in 2024.

The interval between major supply chain attacks is shrinking. The sophistication is increasing. The Axios attack pre-staged its malicious dependency 18 hours in advance, built three platform-specific payloads, poisoned both release branches within 39 minutes, implemented anti-forensic self-destruction, and spoofed its own version number post-execution. This isn't a script kiddie. This is operational tradecraft.

The Field Is Poisoned

npm serves as shared infrastructure for the entire JavaScript ecosystem. Poison it, and you don't distort one project — you contaminate the entire development field. Shared spaces require active maintenance. Every action within them either clarifies or contaminates the whole.

The contamination radius of the Axios attack extended beyond direct installations. Socket discovered two additional packages — @shadanai/openclaw and @qqbrowser/openclaw-qbot — distributing identical malware through vendored dependencies. Build pipelines that pulled Axios as a transitive dependency were compromised without ever explicitly depending on it. The malicious behavior lived entirely in a transitive dependency, triggered automatically by npm's postinstall lifecycle — a feature designed for convenience that has become the most reliable attack vector in the ecosystem.

Projects with committed lockfiles were protected from automatic updates. Projects using caret ranges — ^1.14.0, which is the npm default — would silently pull the compromised version on their next install. The default configuration is the vulnerable configuration. That's not a bug. That's the design.

What We Actually Know

We know npm's security model is fundamentally based on account-level trust, and accounts are compromised routinely. We know that postinstall hooks provide automatic code execution on installation, and they are the vector of choice for supply chain attacks. We know that lockfiles and npm ci --ignore-scripts provide meaningful protection, and most projects don't use them in CI/CD. We know that even projects implementing trusted publishing can be undermined by legacy tokens that coexist with modern security mechanisms.

We know all of this. We've known it since at least 2018.

What we don't know is who's behind the Axios attack — the C2 infrastructure and attacker accounts don't map to any publicly attributed group. We don't know how the maintainer's token was stolen. We don't know how many systems were actually compromised during the three-hour window, or what the deployed RATs have done since. The self-destruct mechanism means the forensic evidence is deliberately sparse.

And we don't know when the next one hits — only that the pattern says it will, and probably sooner than the last interval.

The Uncomfortable Architecture

The uncomfortable truth isn't that npm is insecure. It's that the JavaScript ecosystem's entire dependency model was built on an assumption that never held: that trust in a package name is equivalent to trust in the code it delivers today. Every npm install is an act of faith that every maintainer of every transitive dependency in your tree is both competent and uncompromised, right now, at this exact moment.

That's not a security model. That's a prayer.

The remediation advice is always the same: pin your dependencies, use lockfiles, run npm ci --ignore-scripts, implement supply chain security tools, monitor for anomalous publications. All of this is correct. All of this has been correct for years. And the attacks keep coming because the fundamental architecture — trust propagated through a chain of single points of failure — hasn't changed.

The dependency that bit back wasn't really Axios. It was the assumption that any link in the chain would hold just because it always had before. Eighty-three million weekly downloads trusting a single npm token. A token trusting an email account. The whole tower, standing on whatever came before that.

Somewhere in your node_modules right now, there's a package maintained by someone you've never met, secured by a password you'll never see, on an account you'll never audit. You trust it because you have to.

Sleep well.

Sources:

Source: StepSecurity / Aikido / Socket / Snyk — Axios npm package compromised with self-destructing RAT

← More from Glitch