Noqta

How to Check If Your App Is Affected by the Axios Supply Chain Attack (And Fix It)

Noqta Team
By Noqta Team ·
Loading the Text to Speech Audio Player...

On March 31, 2026, the axios npm package — used in millions of JavaScript projects — was compromised in a supply chain attack. Malicious versions 1.14.1 and 0.30.4 deployed a cross-platform remote access trojan (RAT) through a hidden dependency called plain-crypto-js@4.2.1.

This guide walks you through detection, analysis, and remediation — with actual terminal commands you can run right now.

TL;DR: Run our automated scanner: curl -fsSL https://noqta.tn/tools/check-axios-attack.sh | bash

Quick Check (30 Seconds)

Before diving deep, run these three commands in your project directory:

# 1. Check lockfile for compromised versions
grep -E "1\.14\.1|0\.30\.4" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null
 
# 2. Check for malicious dependency
ls node_modules/plain-crypto-js 2>/dev/null && echo "⚠️ AFFECTED!" || echo "✅ Clean"
 
# 3. Check system for RAT (macOS)
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "⚠️ RAT FOUND!" || echo "✅ Clean"

If any of these return a positive hit, stop and follow the full remediation guide below.

Step 1: Scan Your Lockfiles

Your lockfile records the exact versions that were installed. This is the most reliable way to check.

package-lock.json (npm)

# Search for compromised axios versions
cat package-lock.json | python3 -c "
import json, sys
data = json.load(sys.stdin)
found = False
 
# npm v2+ format (packages)
for path, info in data.get('packages', {}).items():
    if 'axios' in path and info.get('version') in ['1.14.1', '0.30.4']:
        print(f'⚠️  CRITICAL: {path} → {info[\"version\"]}')
        found = True
    if 'plain-crypto-js' in path:
        print(f'⚠️  CRITICAL: Malicious package found at {path}')
        found = True
 
# npm v1 format (dependencies)
for name, info in data.get('dependencies', {}).items():
    if name == 'axios' and info.get('version') in ['1.14.1', '0.30.4']:
        print(f'⚠️  CRITICAL: axios@{info[\"version\"]}')
        found = True
 
if not found:
    print('✅ No compromised versions found in package-lock.json')
"

yarn.lock

# Search yarn.lock
grep -A 2 'axios@' yarn.lock | grep -E 'version "1\.14\.1"|version "0\.30\.4"'
grep 'plain-crypto-js' yarn.lock

pnpm-lock.yaml

# Search pnpm lockfile
grep -E 'axios.*1\.14\.1|axios.*0\.30\.4|plain-crypto-js' pnpm-lock.yaml

Step 2: Check node_modules

Even if your lockfile looks clean, check the actual installed packages:

# Check axios version
node -e "try { console.log('axios version:', require('axios/package.json').version) } catch(e) { console.log('axios not installed') }"
 
# Check for plain-crypto-js anywhere in node_modules
find node_modules -name "plain-crypto-js" -type d 2>/dev/null
 
# Check for the malicious setup.js file specifically
find node_modules -path "*/plain-crypto-js/setup.js" 2>/dev/null
 
# Check if axios has plain-crypto-js as a dependency
cat node_modules/axios/package.json 2>/dev/null | grep -i "plain-crypto"

Step 3: Check Your System for RAT Indicators

The malware deploys platform-specific RAT payloads. Check your system:

macOS

echo "=== macOS RAT Indicator Check ==="
 
# Primary payload location
if [ -f "/Library/Caches/com.apple.act.mond" ]; then
    echo "⚠️  CRITICAL: RAT payload found at /Library/Caches/com.apple.act.mond"
    ls -la "/Library/Caches/com.apple.act.mond"
    file "/Library/Caches/com.apple.act.mond"
else
    echo "✅ /Library/Caches/com.apple.act.mond — not found"
fi
 
# LaunchDaemon persistence
if [ -f "/Library/LaunchDaemons/com.apple.act.mond.plist" ]; then
    echo "⚠️  CRITICAL: LaunchDaemon persistence found"
else
    echo "✅ No LaunchDaemon persistence"
fi
 
# Check for suspicious osascript processes
if pgrep -lf "osascript.*act.mond" 2>/dev/null; then
    echo "⚠️  CRITICAL: Suspicious osascript process detected"
else
    echo "✅ No suspicious osascript processes"
fi
 
# Check for C2 connections
lsof -i -P 2>/dev/null | grep -i "sfrclak\|:8000" && echo "⚠️  Active C2 connection!" || echo "✅ No C2 connections detected"

Windows (PowerShell)

# Check for RAT payload
if (Test-Path "$env:PROGRAMDATA\wt.exe") {
    Write-Host "⚠️  CRITICAL: RAT payload found at $env:PROGRAMDATA\wt.exe" -ForegroundColor Red
    Get-Item "$env:PROGRAMDATA\wt.exe" | Format-List
} else {
    Write-Host "✅ No RAT payload found" -ForegroundColor Green
}
 
# Check for suspicious scheduled tasks
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*wt.exe*" }
 
# Check for C2 connections
netstat -an | Select-String "sfrclak|8000"

Linux

echo "=== Linux RAT Indicator Check ==="
 
# Check for active C2 connections
ss -tnp 2>/dev/null | grep -E "sfrclak|:8000" && echo "⚠️  Active C2 connection!" || echo "✅ No C2 connections"
 
# Check for suspicious cron entries
crontab -l 2>/dev/null | grep -iE "sfrclak|plain-crypto|act\.mond" && echo "⚠️  Suspicious cron!" || echo "✅ No suspicious cron entries"
 
# Check for suspicious processes
ps aux | grep -iE "sfrclak|act\.mond" | grep -v grep && echo "⚠️  Suspicious process!" || echo "✅ No suspicious processes"
 
# Check /tmp for dropper artifacts
find /tmp -name "*.sh" -mmin -120 -exec grep -l "sfrclak" {} \; 2>/dev/null

Step 4: Use Our Automated Scanner

We've built check-axios-attack — a comprehensive bash tool that runs all the checks above and more:

# Download and run (scan only)
curl -fsSL https://noqta.tn/tools/check-axios-attack.sh | bash
 
# Run with auto-fix
curl -fsSL https://noqta.tn/tools/check-axios-attack.sh | bash -s -- --fix
 
# Scan a specific project directory
curl -fsSL https://noqta.tn/tools/check-axios-attack.sh -o check-axios-attack.sh
chmod +x check-axios-attack.sh
./check-axios-attack.sh --path /your/project --verbose
 
# Output as JSON (for CI/CD integration)
./check-axios-attack.sh --json

What the tool does:

  1. ✅ Scans package-lock.json, yarn.lock, and pnpm-lock.yaml for affected versions
  2. ✅ Checks node_modules for plain-crypto-js (including nested dependencies)
  3. ✅ Scans your system for RAT indicators (macOS, Windows, Linux)
  4. ✅ Validates package.json version ranges
  5. ✅ Reports findings with severity levels (critical/warning/ok)
  6. ✅ Auto-fix mode: downgrades axios, removes malicious packages, clean reinstall
  7. ✅ JSON output for CI/CD pipeline integration

Exit codes:

  • 0 — Clean, no issues
  • 1 — Warnings found
  • 2 — Critical issues found

Step 5: If Affected — Full Remediation

If any of the above checks return positive results:

Immediate (Do now)

# 1. Remove malicious packages
rm -rf node_modules/plain-crypto-js
rm -rf node_modules/.cache
 
# 2. Downgrade to safe version
npm install axios@1.14.0 --save
# or: yarn add axios@1.14.0
# or: pnpm add axios@1.14.0
 
# 3. Clean reinstall
rm -rf node_modules
npm ci  # Uses lockfile exactly

Credential Rotation (Do within the hour)

Rotate EVERYTHING. The RAT had access to your filesystem. Assume all secrets on the machine are compromised:

# List .env files that may contain secrets
find . -name ".env*" -not -path "*/node_modules/*"
 
# List common credential files
find ~ -name "*.pem" -o -name "*.key" -o -name "*credentials*" -o -name "*.env" 2>/dev/null | head -20

Rotate:

  • ☐ npm tokens (npm token revoke)
  • ☐ GitHub/GitLab tokens
  • ☐ AWS/GCP/Azure credentials
  • ☐ Database passwords
  • ☐ API keys (Stripe, SendGrid, Twilio, etc.)
  • ☐ SSH keys
  • ☐ SSL/TLS certificates (if private keys were on disk)
  • ☐ JWT secrets
  • ☐ OAuth client secrets

System Cleanup (If RAT found)

# macOS
sudo rm -f /Library/Caches/com.apple.act.mond
sudo rm -f /Library/LaunchDaemons/com.apple.act.mond.plist
sudo launchctl bootout system/com.apple.act.mond 2>/dev/null
 
# Windows (PowerShell, Run as Admin)
# Remove-Item "$env:PROGRAMDATA\wt.exe" -Force
# Unregister-ScheduledTask -TaskName "*wt*" -Confirm:$false
 
# Verify cleanup
# Re-run the scanner
./check-axios-attack.sh --verbose

Audit Deployed Code

# Check if compromised builds were deployed
git log --oneline --since="2026-03-30" --all
 
# Check CI/CD runs during the attack window
# (Check your GitHub Actions / GitLab CI / Jenkins logs)
 
# If compromised code was deployed, roll back to the last clean build

Step 6: Run Security Audit

After remediation, run a full audit:

# npm
npm audit
npm audit fix
 
# yarn
yarn audit
 
# pnpm
pnpm audit
 
# Comprehensive scan with Socket.dev (if configured)
npx socket scan 2>/dev/null || echo "Install: npm install -g @socketsecurity/cli"

Step 7: Prevention — Secure Your Supply Chain

Pin versions in package.json

{
  "dependencies": {
    "axios": "1.14.0"
  }
}

Avoid ^ or ~ prefixes for critical dependencies. Use exact versions.

Use .npmrc for security

# .npmrc
save-exact=true
audit=true
fund=false

Enable npm 2FA

npm profile enable-2fa auth-and-writes

Use lockfile-only installs in CI/CD

# GitHub Actions example
- run: npm ci  # NOT npm install

Add dependency monitoring

  • Socket.dev — Real-time supply chain threat detection
  • Snyk — Vulnerability scanning
  • Dependabot — Automated dependency updates
  • npm audit signatures — Verify package provenance

CI/CD check (GitHub Actions)

name: Supply Chain Check
on: [push, pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npm audit --audit-level=critical
      - run: |
          curl -fsSL https://noqta.tn/tools/check-axios-attack.sh | bash --json

FAQ

How long were the malicious versions available?

Approximately 2 hours (from ~00:00 to ~02:00 UTC on March 31, 2026).

I installed axios weeks ago — am I safe?

If your lockfile pins to a version other than 1.14.1 or 0.30.4, yes. The malicious versions were brand new.

Does this affect transitive dependencies?

Yes. If another package in your tree depends on axios and its lockfile resolved to a compromised version, you could be affected. Use npm ls axios to check the full dependency tree.

The malware self-destructs — does that mean I'm safe?

No. Self-destruction means the malware cleaned up its installation traces, but the RAT binary may still be running on your system. Always check system indicators.

Can I use fetch instead of axios?

The native fetch API (available in Node.js 18+) is a viable alternative. Frameworks like Next.js and many modern projects already use it. This is a good time to evaluate if you need axios at all.

How do I report if I was affected?

File an issue at axios GitHub and report to npm security. If you believe data was exfiltrated, notify your legal/compliance team.

Need professional help securing your Node.js infrastructure? Noqta offers security audits and DevSecOps consulting for JavaScript/TypeScript projects. We can review your dependency chain, harden your CI/CD pipeline, and set up continuous monitoring. Contact us for a free initial assessment.

Building a new project and want to start secure? Check our guides on API-first architecture and AI-powered security scanning.

Want to read more tutorials? Check out our latest tutorial on 5 Laravel 11 Basics: Controllers.
Back to the tutorials

Discuss Your Project with Us

We're here to help with your web development needs. Schedule a call to discuss your project and how we can assist you.

Book a Call

Let's find the best solutions for your needs.

Related Articles

Building Node.js Microservices with Docker, RabbitMQ and API Gateway

Learn how to build a production-ready microservices architecture with Node.js, Docker Compose, RabbitMQ for async messaging, and an API Gateway. This hands-on tutorial covers service decomposition, inter-service communication, containerization, and deployment.

35 min read·