Outage in LIMA Networks
Security Alert: Axios npm Supply Chain Attack
Resolved Major
March 31, 2026 - Started 21 days ago
- Lasted about 21 hours
Incident Report
On March 30–31, 2026, two malicious versions of the widely used axios HTTP client library were published to npm — axios@1.14.1 and axios@0.30.4. The attack was carried out using the compromised npm credentials of the primary axios maintainer, allowing the attackers to bypass the project's GitHub Actions CI/CD pipeline.
Neither malicious version contains any harmful code inside axios itself. Instead, both inject a fake dependency — plain-crypto-js@4.2.1 — whose sole purpose is to run a postinstall script that deploys a cross-platform Remote Access Trojan (RAT), targeting macOS, Windows, and Linux.
The dropper contacts a live command-and-control server, delivers platform-specific second-stage payloads, then erases itself and replaces it's own package.json with a clean decoy — leaving no visible trace in node_modules.
The malicious versions were removed from npm by 03:29 UTC, but anyone whose CI/CD pipeline, developer environment, or build system pulled a fresh install during that window could have been compromised.
How to remediate:
Check if you're affected — look for axios@1.14.1 or axios@0.30.4 in your dependencies, or the presence of a plain-crypto-js folder in node_modules.
Downgrade immediately — revert to axios@1.14.0 (1.x users) or axios@0.30.3 (0.x users).
Remove the malicious package — delete node_modules/plain-crypto-js and reinstall using npm install --ignore-scripts.
Check for RAT artifacts:
macOS: /Library/Caches/com.apple.act.mond
Windows: %PROGRAMDATA%\wt.exe
Linux: /tmp/ld.py
Rotate all credentials on affected systems — npm tokens, cloud keys, SSH keys, and CI/CD secrets.
Audit CI/CD pipelines for runs that installed the affected versions, and block egress traffic to the C2 domain sfrclak[.]com.
Neither malicious version contains any harmful code inside axios itself. Instead, both inject a fake dependency — plain-crypto-js@4.2.1 — whose sole purpose is to run a postinstall script that deploys a cross-platform Remote Access Trojan (RAT), targeting macOS, Windows, and Linux.
The dropper contacts a live command-and-control server, delivers platform-specific second-stage payloads, then erases itself and replaces it's own package.json with a clean decoy — leaving no visible trace in node_modules.
The malicious versions were removed from npm by 03:29 UTC, but anyone whose CI/CD pipeline, developer environment, or build system pulled a fresh install during that window could have been compromised.
How to remediate:
Check if you're affected — look for axios@1.14.1 or axios@0.30.4 in your dependencies, or the presence of a plain-crypto-js folder in node_modules.
Downgrade immediately — revert to axios@1.14.0 (1.x users) or axios@0.30.3 (0.x users).
Remove the malicious package — delete node_modules/plain-crypto-js and reinstall using npm install --ignore-scripts.
Check for RAT artifacts:
macOS: /Library/Caches/com.apple.act.mond
Windows: %PROGRAMDATA%\wt.exe
Linux: /tmp/ld.py
Rotate all credentials on affected systems — npm tokens, cloud keys, SSH keys, and CI/CD secrets.
Audit CI/CD pipelines for runs that installed the affected versions, and block egress traffic to the C2 domain sfrclak[.]com.
Trusted by 1,000+ teams
The Status Page Aggregator with Early Outage Detection
Stop finding out about outages from your users. Monitor 6,320+ cloud services and get alerted the second something breaks.
Start Free Trial
- No credit card
- 14-day trial
- 2-minute setup
Latest Updates ( sorted recent to last )
21 days ago - at 03/31/2026 02:48PM
On March 30–31, 2026, two malicious versions of the widely used axios HTTP client library were published to npm — axios@1.14.1 and axios@0.30.4. The attack was carried out using the compromised npm credentials of the primary axios maintainer, allowing the attackers to bypass the project's GitHub Actions CI/CD pipeline.
Neither malicious version contains any harmful code inside axios itself. Instead, both inject a fake dependency — plain-crypto-js@4.2.1 — whose sole purpose is to run a postinstall script that deploys a cross-platform Remote Access Trojan (RAT), targeting macOS, Windows, and Linux.
The dropper contacts a live command-and-control server, delivers platform-specific second-stage payloads, then erases itself and replaces it's own package.json with a clean decoy — leaving no visible trace in node_modules.
The malicious versions were removed from npm by 03:29 UTC, but anyone whose CI/CD pipeline, developer environment, or build system pulled a fresh install during that window could have been compromised.
How to remediate:
Check if you're affected — look for axios@1.14.1 or axios@0.30.4 in your dependencies, or the presence of a plain-crypto-js folder in node_modules.
Downgrade immediately — revert to axios@1.14.0 (1.x users) or axios@0.30.3 (0.x users).
Remove the malicious package — delete node_modules/plain-crypto-js and reinstall using npm install --ignore-scripts.
Check for RAT artifacts:
macOS: /Library/Caches/com.apple.act.mond
Windows: %PROGRAMDATA%\wt.exe
Linux: /tmp/ld.py
Rotate all credentials on affected systems — npm tokens, cloud keys, SSH keys, and CI/CD secrets.
Audit CI/CD pipelines for runs that installed the affected versions, and block egress traffic to the C2 domain sfrclak[.]com.
Latest LIMA Networks outages
Hornet 365 Email Delivery Issues - about 2 months ago
The Status Page Aggregator with Early Outage Detection
With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.
Start free trialNo credit card required · Cancel anytime · 6320 services available
Integrations with
