Describe the bug
-
Microsoft Threat Intelligence has identified a critical supply chain attack affecting Axios versions 1.14.1 and 0.30.4. A North Korean state actor (Sapphire Sleet) has injected a malicious install-time dependency (plain-crypto-js@4.2.1) into these versions.
-
During npm install, a post-install hook silently executes without user interaction, connecting to an attacker-controlled C2 server to deploy OS-specific Remote Access Trojans (RATs) across Windows, macOS, and Linux environments. We need to immediately lock down our dependencies to prevent automated updates (via Dependabot/Renovate or caret ^/tilde ~ ranges) from pulling these compromised versions into our project and CI/CD pipelines.
Steps To Reproduce
- Have a package.json that allows auto-updating of the axios dependency up to minor or patch versions (e.g., "axios": "^1.14.0" or "axios": "~0.30.0").
- Run npm install, or allow an automated dependency bot to create a PR updating the package.
- The package manager resolves to the compromised version (1.14.1 or 0.30.4).
- The malicious plain-crypto-js@4.2.1 dependency is fetched, and its setup.js script automatically executes, pulling the secondary malware payload.
Expected Behavior
The project should be strictly pinned to a known safe version of Axios (e.g., 1.12.0, 1.14.0, or 0.30.3). Furthermore, the package.json should utilize dependency overrides (or resolutions for Yarn) to ensure no transitive dependencies can accidentally introduce the compromised Axios versions into the dependency tree.
Screenshots
https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
Device Information [optional]
- OS: Ubuntu
- Browser: Brave
- version:
Are you working on this issue?
Yes
Do you think this work might require an [Architectural Decision Record (ADR)]? (significant or noteworthy)
No
Describe the bug
Microsoft Threat Intelligence has identified a critical supply chain attack affecting Axios versions 1.14.1 and 0.30.4. A North Korean state actor (Sapphire Sleet) has injected a malicious install-time dependency (plain-crypto-js@4.2.1) into these versions.
During npm install, a post-install hook silently executes without user interaction, connecting to an attacker-controlled C2 server to deploy OS-specific Remote Access Trojans (RATs) across Windows, macOS, and Linux environments. We need to immediately lock down our dependencies to prevent automated updates (via Dependabot/Renovate or caret ^/tilde ~ ranges) from pulling these compromised versions into our project and CI/CD pipelines.
Steps To Reproduce
Expected Behavior
The project should be strictly pinned to a known safe version of Axios (e.g., 1.12.0, 1.14.0, or 0.30.3). Furthermore, the package.json should utilize dependency overrides (or resolutions for Yarn) to ensure no transitive dependencies can accidentally introduce the compromised Axios versions into the dependency tree.
Screenshots
https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
Device Information [optional]
Are you working on this issue?
Yes
Do you think this work might require an [Architectural Decision Record (ADR)]? (significant or noteworthy)
No