What Happened
Recently, attackers published two malicious versions of Axios—the npm HTTP client used by millions of JavaScript applications. Versions 1.14.1 and 0.30.4 introduced a dependency called 'plain-crypto-js' version 4.2.1 that functioned as a cross-platform remote access trojan. The attackers gained access through compromised npm credentials and staged the attack 18 hours in advance, pre-building three separate payloads targeting Windows, macOS, and Linux systems.
Timeline
T-18 hours: Attackers prepare three OS-specific payloads and stage infrastructure.
T-0: Malicious Axios versions 1.14.1 and 0.30.4 published to npm registry with 'plain-crypto-js' dependency.
T+unknown: StepSecurity and npm security teams identify the compromise.
T+detection: npm removes malicious versions; advisory issued recommending downgrade to versions 1.14.0 or 0.30.3.
Current: Organizations advised to rotate all credentials that may have been exposed.
Which Controls Failed or Were Missing
Account Credential Protection: Attackers obtained valid npm publishing credentials, indicating missing or inadequate multi-factor authentication or successful phishing.
Pre-publication Security Scanning: The malicious dependency passed npm's automated checks, which failed to detect the RAT behavior before publication.
Dependency Integrity Verification: Organizations lacked automated mechanisms to verify that the dependency tree matched expected patterns, failing to detect the sudden introduction of 'plain-crypto-js'.
Supply Chain Monitoring: The 18-hour staging window shows attackers had time to prepare without triggering alerts. No monitoring caught the unusual pattern of a mature package suddenly adding a new, suspicious dependency.
Least Privilege in CI/CD: Systems that automatically pulled and deployed the latest Axios versions had no controls preventing untrusted code from reaching production environments.
What the Relevant Standards Require
NIST 800-53 Rev 5 SR-3 (Supply Chain Controls): Requires security safeguards to protect against supply chain threats, including validating software package integrity and monitoring for unauthorized changes.
NIST 800-53 Rev 5 SR-4 (Provenance): Mandates documenting and monitoring the provenance of system components. A software bill of materials (SBOM) should capture dependencies and changes.
ISO 27001 Annex A.8.30 (Outsourced Development): Requires supervision and monitoring of outsourced system development, including third-party components. Verification controls are necessary even for popular packages.
PCI DSS v4.0.1 Requirement 6.3.2: Mandates review of custom and bespoke software prior to release to address coding vulnerabilities, extending to supply chain components.
NIST CSF v2.0 ID.SC-4: Requires a risk-based assessment of suppliers and third-party partners, including open-source dependencies like Axios.
Lessons and Action Items for Your Team
Enable MFA on All Package Registry Accounts: Enforce hardware token-based MFA for publishing to npm or any other registry. Credentials are often the starting point for compromises.
Implement Dependency Pinning and Lock Files: Specify exact versions in your package.json and commit lock files. Changes should be visible and reviewable.
Add SBOM Generation to Your Build Pipeline: Use tools like Syft or CycloneDX to generate a complete inventory of your dependencies at build time. Store these SBOMs with your release artifacts.
Deploy Automated Dependency Monitoring: Use tools like Snyk, Dependabot, or Socket.dev to alert on new dependencies in your supply chain. The sudden introduction of 'plain-crypto-js' should trigger an alert.
Create a Dependency Update Policy That Requires Review: Require pull requests for all dependency changes, even patch versions, and have a human review what's changing and why.
Scan Dependencies for Behavioral Anomalies: Use tools that detect suspicious behaviors like network calls to unexpected domains or obfuscated code.
Maintain an Incident Response Plan for Supply Chain Compromises: Have a playbook ready for isolating affected systems, rotating credentials, assessing data exposure, and notifying stakeholders.
Implement Network Egress Filtering: Limit production environments to reach only explicitly allowed destinations to reduce damage from malicious code.
The Axios incident shows that supply chain attacks don't need zero-day exploits—just compromised credentials and patience. Your controls must assume that popular packages can be compromised and build verification into every step from registry to production.
Start with the action items above. Pick three you can implement this quarter. Supply chain security is a discipline you practice every time you run npm install.
