Detection, prevention, and response toolkit for the axios npm supply chain attack (2026-03-31).
Malicious versions [email protected] and [email protected] were published to npm containing a cross-platform remote access trojan (RAT). The maintainer's npm account was compromised. Attributed to North Korean threat actor UNC1069 by Google Threat Intelligence Group.
curl -sL https://raw.githubusercontent.com/parthalon025/axios-npm-attack/main/setup.sh | bash -s -- --allThis downloads the scanner, checks your machine, installs hookify rules for Claude Code, and starts a background monitor that auto-disables protections when the incident is resolved.
Just want to check if you're affected?
# Check installed axios version
npm ls axios 2>/dev/null || pnpm ls axios 2>/dev/null || yarn why axios 2>/dev/null
# Check lockfiles for compromised versions
grep -rE 'axios@(1\.14\.1|0\.30\.4)|plain-crypto-js' \
package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/nullIf you find version 1.14.1 or 0.30.4, your machine is compromised. Jump to I'm Compromised — What Do I Do?
- I'm Compromised — What Do I Do?
- I'm Not Affected — How Do I Stay Safe?
- Toolkit
- Installation
- What Are Hookify Rules?
- Bonus: General Safety Rules
- Attack Details
- References
- Contributing
Do everything below from a DIFFERENT, CLEAN device. Your compromised machine cannot be trusted.
- Disconnect the compromised machine from the network — Wi-Fi off, Ethernet unplugged
- Do NOT log into anything from the compromised machine
- From a clean device, begin credential rotation (Step 2)
Rotate everything. The RAT had full machine access — every credential, token, and key on the machine should be treated as exposed.
| Priority | What | Where |
|---|---|---|
| Critical | npm tokens | npmjs.com/settings/tokens |
| Critical | GitHub PATs + SSH keys | GitHub Settings → Tokens + SSH Keys |
| Critical | Cloud provider keys (AWS/GCP/Azure) | Provider console |
| Critical | CI/CD secrets | GitHub Actions / GitLab CI settings |
| High | SSH keys (~/.ssh/) |
Regenerate keypair, update authorized_keys everywhere |
| High | Database credentials | Secret manager or DB admin console |
| High | .env file secrets |
Every API key in every .env on the machine |
| High | Docker / container registry tokens | Registry settings |
| Standard | Email / Google / Microsoft accounts | Account security settings, enable MFA |
| Standard | Browser saved passwords | Password manager, change critical accounts first |
| Standard | Slack / Discord / other API keys | Each provider's dashboard |
For the full rotation playbook with verification commands: credential-rotation-guide.md
# Unauthorized npm publishes
npm access ls-packages
# Unauthorized GitHub activity (last 7 days)
gh api /users/{your-username}/events --jq '.[].type' | head -20
# Unauthorized git commits across your repos
for repo in $(gh repo list --json nameWithOwner -q '.[].nameWithOwner'); do
echo "--- $repo ---"
gh api "/repos/$repo/commits?since=$(date -d '7 days ago' -Iseconds)" \
--jq '.[].commit.author.name' 2>/dev/null | sort -u
done# Remove all node_modules
find ~/ -name 'node_modules' -type d -prune -exec rm -rf {} +
npm cache clean --force
# Remove RAT artifacts
rm -f /tmp/ld.py # Linux
rm -f /Library/Caches/com.apple.act.mond # macOS
# Check for persistence mechanisms
crontab -l # Unexpected cron jobs?
systemctl --user list-units --type=service # Unexpected services?
cat ~/.ssh/authorized_keys # Unknown SSH keys?
ls -la ~/.bashrc ~/.zshrc ~/.profile # Modified recently?If RAT artifacts were found, consider reimaging the machine. See credential-rotation-guide.md for full remediation steps.
| Channel | When |
|---|---|
| [email protected] | Always — include compromised versions and your npm username |
| GitHub Support | If unauthorized commits or repo changes found |
| Your security team / CISO | If this is an org machine |
| cisa.gov/report | US-based organizations |
- Pin your axios version — don't use semver ranges that could auto-upgrade
- Run the scanner on all your projects:
./detect-axios-rat.sh ~/projects - Install hookify rules to prevent AI tools from adding axios
- Set up monitoring to know when it's safe:
./axios-watch.sh --install-timer - Consider migrating to
fetch()(built into Node 18+) orundici
Standalone scripts that check your machine for compromised axios versions and RAT artifacts.
Linux / macOS:
curl -sO https://raw.githubusercontent.com/parthalon025/axios-npm-attack/main/supply-chain/detect-axios-rat.sh
chmod +x detect-axios-rat.sh
./detect-axios-rat.sh # Scan current directory
./detect-axios-rat.sh ~/projects # Scan a specific directoryWindows (PowerShell):
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/parthalon025/axios-npm-attack/main/supply-chain/detect-axios-rat.ps1" -OutFile detect-axios-rat.ps1
.\detect-axios-rat.ps1 # Scan current directory
.\detect-axios-rat.ps1 -Path C:\projects # Scan a specific directory| Phase | What it checks | How |
|---|---|---|
| 1 | Lockfiles | Scans package-lock.json, pnpm-lock.yaml, yarn.lock for versions 1.14.1 / 0.30.4 |
| 2 | Installed packages | Checks node_modules/axios/package.json + looks for plain-crypto-js |
| 3 | RAT file artifacts | /tmp/ld.py (Linux), /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows) |
| 4 | Network IOCs | Active connections to C2 server 142.11.206.73 / domain sfrclak.com |
Exit codes: 0 clean · 1 compromised · 2 safe version present (review recommended)
Requirements (bash version): bash, grep, find. Optional: curl, jq, ss/netstat, host.
Requirements (PowerShell version): PowerShell 5.1+. No external dependencies.
Two rules that block axios installation and import in Claude Code until the incident is resolved.
mkdir -p .claude
cp supply-chain/hookify.block-axios.local.md .claude/
cp supply-chain/hookify.block-axios-file.local.md .claude/What gets blocked:
- Package install commands:
npm install axios,pnpm add axios,yarn add axios,bun add axios - Import statements:
import ... from 'axios',require('axios') - Dependency declarations:
"axios"in package.json
Each block message includes migration guidance to fetch() or undici.
Watches for incident resolution and auto-disables block rules when it's safe.
./supply-chain/axios-watch.sh # One-shot check
./supply-chain/axios-watch.sh --install-timer # Check every 6 hours (systemd timer)
./supply-chain/axios-watch.sh --uninstall-timer # Remove the timerHow it knows the incident is resolved:
The monitor checks two independent signals every 6 hours. Either one is sufficient:
-
GitHub issue axios/axios#10604 state = CLOSED — this is the community tracking issue. The axios maintainers will close it when account recovery is confirmed and the compromised versions are fully addressed. Checked via
gh issue view. -
npm
axios@latestversion >= 1.15.0 — the compromised versions are 1.14.1 and 0.30.4. A version >= 1.15.0 means a new release was published after the incident, which can only happen once the maintainer account is recovered. Checked via the npm registry API.
When either signal fires: disables hookify rules (enabled: true → enabled: false), removes its own timer, prints confirmation. No manual intervention needed.
Supported platforms: Linux (systemd timer), macOS (launchd agent), Windows (manual — use Task Scheduler).
Requirements: gh (GitHub CLI), curl, jq.
A prioritized, step-by-step playbook for rotating every credential on a compromised machine.
Covers: npm tokens, GitHub PATs/SSH keys, cloud provider keys, CI/CD secrets, database credentials, .env secrets, Docker tokens, email accounts, browser passwords. Includes verification commands and machine remediation (reimage vs. clean-in-place).
curl -sL https://raw.githubusercontent.com/parthalon025/axios-npm-attack/main/setup.sh | bash -s -- --all| Flag | What it does |
|---|---|
--all |
Scan + hookify rules + resolution monitor |
--scan |
Run the IOC scanner (default: yes) |
--no-scan |
Skip the scanner |
--hookify |
Install axios hookify rules to .claude/ |
--hookify-all |
Install ALL hookify rules (security, git, quality, etc.) |
--monitor |
Install systemd timer for resolution monitoring |
git clone https://github.com/parthalon025/axios-npm-attack.git
cd axios-npm-attack
# Run the scanner
./supply-chain/detect-axios-rat.sh ~/projects
# Copy axios rules to your project
mkdir -p /path/to/your/project/.claude
cp supply-chain/hookify.block-axios*.local.md /path/to/your/project/.claude/
# Start the monitor
./supply-chain/axios-watch.sh --install-timerHookify rules are markdown files with YAML frontmatter that integrate with Claude Code's hook system. When Claude Code attempts to run a command or edit a file that matches a rule's pattern, the rule fires — either warning the user or blocking the action entirely.
Rules live in your project's .claude/ directory. They take effect immediately — no restart required.
Example rule (hookify.block-axios.local.md):
---
name: block-axios
enabled: true
event: all
conditions:
- field: command
operator: regex_match
pattern: (npm|pnpm|yarn|bun)\s+(install|add|i)\s+.*axios
---
BLOCKED: axios installation — active supply chain attack.
Use fetch() or undici instead.Beyond the axios-specific rules, this repo includes 16 general-purpose hookify rules organized by category. Copy whichever ones fit your workflow.
| Rule | Event | Action | Description |
|---|---|---|---|
warn-dangerous-commands |
bash | warn | Flags rm -rf, chmod 777, dd if=, mkfs |
protect-sensitive-files |
file | warn | Flags edits to .env, .pem, .key, credentials files |
no-pii-or-secrets-in-code |
file | warn | Detects private IPs (192.168.x, 10.0.x, 172.16-31.x) in source |
no-bare-except-pass |
file | block | Prevents silent except: pass — requires logging before fallback |
block-shell-injection |
file | block | Flags shell=True in Python |
block-weak-crypto |
file | block | Flags MD5/SHA-1 usage — suggests SHA-256 or bcrypt |
warn-http-urls |
file | warn | Flags unencrypted http:// URLs (except localhost) |
| Rule | Event | Action | Description |
|---|---|---|---|
block-force-push |
bash | block | Blocks git push --force — suggests --force-with-lease |
branch-isolation |
bash | warn | Reminds to check you're not on main before committing |
check-tests-before-commit |
bash | warn | Pre-commit checklist: tests, linter, correct files |
no-git-add-all |
bash | warn | Flags git add -A / git add . — stage specific files instead |
| Rule | Event | Action | Description |
|---|---|---|---|
no-console-log |
file | warn | Flags console.log/debug/info in TypeScript/JavaScript |
no-hardcoded-urls |
file | warn | Flags hardcoded URLs in source (use env vars or config) |
no-todo-in-code |
file | warn | Flags TODO/FIXME/HACK — create an issue instead |
warn-large-files |
file | warn | Flags very large edits — consider splitting |
| Rule | Event | Action | Description |
|---|---|---|---|
venv-pip-guard |
bash | warn | Flags .venv/bin/pip install — use python -m pip instead |
| Rule | Event | Action | Description |
|---|---|---|---|
verify-before-done |
stop | warn | Completion checklist: tests pass, build succeeds, nothing extra |
| Tool | Linux | macOS | Windows |
|---|---|---|---|
| IOC Scanner (bash) | Yes | Yes | Git Bash / WSL |
| IOC Scanner (PowerShell) | — | — | Yes |
| Hookify Rules | Yes | Yes | Yes |
| Resolution Monitor (timer) | systemd | launchd | Task Scheduler (manual) |
| Setup Script | Yes | Yes | Git Bash / WSL |
| Credential Rotation Guide | Yes | Yes | Yes |
The IOC scanner checks platform-specific RAT artifacts on all three OSes regardless of which script you run. The PowerShell version uses native Windows APIs (Get-NetTCPConnection, Resolve-DnsName) for network checks.
| Date | March 31, 2026 |
| Package | axios (npm) |
| Compromised versions | 1.14.1, 0.30.4 |
| Attack vector | Maintainer npm account compromise |
| Payload | Cross-platform RAT via plain-crypto-js postinstall |
| Attribution | UNC1069 (North Korea) — Google Threat Intelligence Group |
| C2 server | 142.11.206.73 / sfrclak.com |
| IOC: Linux | /tmp/ld.py |
| IOC: macOS | /Library/Caches/com.apple.act.mond |
| IOC: Windows | %PROGRAMDATA%\wt.exe |
| Tracking | axios/axios#10604 |
.
├── setup.sh # One-click installer
├── supply-chain/
│ ├── detect-axios-rat.sh # IOC scanner (Linux/macOS)
│ ├── detect-axios-rat.ps1 # IOC scanner (Windows/PowerShell)
│ ├── axios-watch.sh # Resolution monitor + auto-disable
│ ├── credential-rotation-guide.md # Post-compromise playbook
│ ├── hookify.block-axios.local.md # Block axios install commands
│ └── hookify.block-axios-file.local.md # Block axios imports in code
├── security/
│ ├── hookify.warn-dangerous-commands.local.md
│ ├── hookify.protect-sensitive-files.local.md
│ ├── hookify.no-pii-or-secrets-in-code.local.md
│ ├── hookify.no-bare-except-pass.local.md
│ ├── hookify.block-shell-injection.local.md
│ ├── hookify.block-weak-crypto.local.md
│ └── hookify.warn-http-urls.local.md
├── git/
│ ├── hookify.block-force-push.local.md
│ ├── hookify.branch-isolation.local.md
│ ├── hookify.check-tests-before-commit.local.md
│ └── hookify.no-git-add-all.local.md
├── quality/
│ ├── hookify.warn-large-files.local.md
│ ├── hookify.no-hardcoded-urls.local.md
│ ├── hookify.no-console-log.local.md
│ └── hookify.no-todo-in-code.local.md
├── ci-cd/
│ └── hookify.venv-pip-guard.local.md
└── process/
└── hookify.verify-before-done.local.md
- axios/axios#10604 — GitHub tracking issue
- StepSecurity: Axios Compromised on npm — Technical analysis and timeline
- SOCRadar: Axios npm Supply Chain Attack CISO Guide — Enterprise response guidance
Found another IOC? Have a hookify rule to share? PRs welcome.
- Fork this repo
- Add your rule to the appropriate category directory, or add a detection script to
supply-chain/ - Follow the existing naming convention:
hookify.<action>-<description>.local.md - Test your rule or script
- Submit a PR describing what it detects or prevents
Reporting security issues: See SECURITY.md