Axios npm Supply-Chain Compromise 2026 | Protos AI Threat Intelligence

Classification

TLP:CLEAR

Analyst

Protos AI Threat Intelligence

Date

2026-04-07

Executive Summary

Attribute	Value
Risk Level	HIGH
Confidence	High (occurrence/mechanics) · Medium (attribution)
Key Finding	Official Axios npm package was compromised on 2026-03-31; malicious releases delivered a typosquatted dependency that fetched multi-platform payloads from an externally hosted C2.
Primary Action	Revoke/rotate CI and developer credentials, block C2 network elements, and collect package tarballs and build logs.

Between 2026-03-08 and 2026-04-07 vendors and community analysts corroborate a brief compromise of the official Axios npm package on 2026-03-31 that resulted in malicious releases (axios@1.14.1 and axios@0.30.4). The malicious releases introduced a typosquatted dependency (plain-crypto-js@4.2.1) whose postinstall script collected environment data and fetched platform-specific payloads from an externally hosted C2. Developer machines, CI/CD systems, and downstream consumers are at highest risk.

Investigation Scope & Methodology

Original Question: Investigate the March 31 axios supply-chain attack, including a breakdown of what occurred, who is at risk and detailed remediation and detection measures.

Scope Item	Details
Investigation Focus	Supply-chain compromise of the Axios npm package and resulting payload delivery.
Time Period	2026-03-08 → 2026-04-07
Sources Used	Threat intelligence feeds, vendor writeups, antivirus scan results, DNS analysis, OSINT research.
Methodology	Review of structured claims and vendor reports, enrichment of IOCs, timeline reconstruction, and prioritized remediation guidance.

Key Findings

✅ High Confidence Findings

HIGHSupply-chain Compromise

The official Axios npm package was compromised and malicious releases (axios@1.14.1 and axios@0.30.4) were published on 2026-03-31. Multiple vendors corroborated this across the compromise window.

HIGHTyposquat & Postinstall Fetch

Malicious releases introduced plain-crypto-js@4.2.1 — a typosquatted dependency with a postinstall hook that collected environment data and retrieved payloads from the C2.

HIGHC2 Infrastructure

Payload retrieval occurred from sfrclak[.]com and host IP 142[.]11[.]206[.]73. The domain served payloads on port 8000 with broad AV detections reported.

HIGHMulti-platform Payloads

Platform-specific payloads (macOS, Windows, Linux) were delivered and executed after retrieval. Payload SHA-256s for each platform were observed in vendor dissections.

HIGHPopulations at Risk

Developers, CI/CD systems, and downstream consumers faced elevated risk. Install-time execution exposes environment variables, secrets, and tokens to postinstall code.

⚠️ Medium Confidence Findings

MEDIUMAttribution to STARDUST CHOLLIMA

CrowdStrike attributed the activity to STARDUST CHOLLIMA with moderate confidence. Attribution is ambiguous due to shared/leased infrastructure and should be treated as tentative.

MEDIUMDomain Short-lived / Related Infrastructure

Passive DNS probes returned no records for sfrclak[.]com in some providers, suggesting short-lived registration. IP 23[.]254[.]203[.]244 shares a banner hash with the C2 host and is cited as related infrastructure.

❓ Low Confidence / Requires Validation

Scope of Data Exfiltration: Insufficient evidence to determine the exact breadth of secrets or data exfiltrated. Vendors confirmed environment collection behavior but have not disclosed confirmed exfiltrated artifacts. Risk: HIGH if secrets were exposed.

Technical Analysis

Infrastructure

Target	Hosting	Key Observations
`sfrclak[.]com`	142[.]11[.]206[.]73	Served payloads on port 8000; multiple AV detections and related file artifacts.
`23[.]254[.]203[.]244`	Related IP (shared banner hash)	Vendor-cited related infrastructure; relationship requires telemetry confirmation.

Malware & Payloads

Attribute	Details
Family	ZshBucket (vendor designation)
Type	Multi-platform loader / stealer
Capabilities	Environment collection, payload retrieval, potential persistence and credential theft
C2	`sfrclak[.]com (142[.]11[.]206[.]73)`

Detection Notes

Network: Alert on outbound HTTP to sfrclak[.]com and 142[.]11[.]206[.]73:8000; inspect user-agent strings indicating npm/node install activity.
Build-time: Alert when package-lock/yarn.lock contains plain-crypto-js@4.2.1 or when npm install invokes node setup.js during CI runs.
Endpoint: Hunt for vendor-observed persistence and file paths across Windows/macOS/Linux endpoints.

Risk Assessment

Risk Factor	Rating	Justification
Threat Sophistication	HIGH	Supply-chain compromise with multi-platform payload delivery indicates advanced operational capability.
Potential Impact	HIGH	Secrets in developer and CI environments could be exposed, enabling lateral movement or supply-chain contamination.
Likelihood of Exploitation	HIGH	Many environments perform npm install in build contexts; postinstall hooks run automatically in common pipelines.
Overall Risk	HIGH	Immediate containment and remediation required.

Recommendations & Mitigation

🚨 Priority 1 — Immediate Actions

Revoke and rotate CI tokens and developer credentials; issue short-lived replacements. Postinstall scripts can exfiltrate environment variables and tokens.
Block network egress to sfrclak[.]com and 142[.]11[.]206[.]73 at perimeter/proxy. Prevents further payload retrieval and C2 communication.
Isolate build agents and artifact caches active during 2026-03-31; collect package-lock.json, yarn.lock, and tarballs for axios@1.14.1 and axios@0.30.4.

⚠️ Priority 2 — Short-term Actions

Hunt for outbound connections to hxxp://sfrclak[.]com:8000/6202033 and 142[.]11[.]206[.]73 in logs for 2026-03-31 → 2026-04-02.
Hunt for vendor-observed payload hashes; quarantine and submit samples to sandbox for behavior extraction.
Review CI/CD logs for npm publish metadata; verify publisher account activity on 2026-03-31.

🎯 Priority 3 — Long-term Improvements

Enforce MFA and two-person publishing for maintainers; require signed packages or lockfile verification in CI.
Harden CI secrets: use secrets brokers, ephemeral credentials, and least-privilege tokens.
Implement SBOM and dependency governance; disallow unexpected postinstall scripts in automated builds.

Indicators of Compromise

⚠️ All indicators are defanged for safety.

Network Indicators

Type	Indicator	Context	Risk
Domain	`sfrclak[.]com`	C2 domain serving payloads	HIGH
URL	`hxxp://sfrclak[.]com:8000/6202033`	Payload retrieval path	HIGH
IP	`142[.]11[.]206[.]73`	C2 host; broad AV detections	HIGH
IP	`23[.]254[.]203[.]244`	Related infrastructure (shared banner hash)	MED-HIGH

File Indicators

Type	Hash (truncated)	Platform	Context
SHA256	`92ff0877...c9645a`	macOS	Vendor-observed payload hash
SHA256	`ed8560c1...5f815c`	Windows	Vendor-observed payload hash
SHA256	`fcb81618...0375cf`	Linux	Vendor-observed payload hash

Evidence Gaps & Limitations

Registry publish logs: No direct access to npm registry publisher logs or tarball SHA-256s. Actionable follow-up: request from registry admins.
Confirmed exfiltrated artifacts: Vendors observed environment collection but did not publish confirmed exfiltrated data — scope of data loss remains unknown.
Methodology: Reliance on vendor reporting and public AV snapshots; internal telemetry (CI logs, build caches) required to map blast radius precisely.

Sources & References

Source Type	Description
Threat Intelligence / Vendor Writeups	Microsoft, Datadog, CrowdStrike vendor analyses and public advisories.
Antivirus / Malware Analysis	AV snapshots and file hash observations from public malware feeds.
DNS Analysis	Passive DNS lookups reported by vendors and public passive DNS providers.
OSINT / Community Reporting	Aggregated news and community findings confirming package publish events.

PROTOS AI THREAT INTELLIGENCE

Generated by Protos AI · TLP:CLEAR · 2026-04-07

Axios npm Supply-Chain Compromise (2026-03-31)