A one-file bash scanner to detect the March 2026 axios npm supply-chain compromise on your machine.
On March 31, 2026, a compromised maintainer account published malicious versions of the axios npm package:
axios@1.14.1axios@0.30.4
Both versions pulled in a fake dependency, plain-crypto-js@4.2.1, which executed a postinstall hook installing a cross-platform Remote Access Trojan (macOS, Windows, Linux). The malicious versions were tagged latest, so any npm install during the window could have been affected. The campaign has been attributed to the North Korean threat actor Sapphire Sleet.
References:
One-liner (quickest):
curl -O https://raw.githubusercontent.com/yzzztech/axios-supply-chain-scanner/main/axios-scan.sh && chmod +x axios-scan.sh && ./axios-scan.shStep by step:
curl -O https://raw.githubusercontent.com/yzzztech/axios-supply-chain-scanner/main/axios-scan.sh
chmod +x axios-scan.sh
./axios-scan.sh # scans $HOME
./axios-scan.sh ~/projects # scans a specific pathExit code is 0 if clean, 1 if a compromised artifact is found — so you can drop it into CI.
For every package.json, package-lock.json, yarn.lock, and pnpm-lock.yaml under the target path (skipping node_modules, .git, .venv, etc.), it flags:
- The exact strings
axios@1.14.1oraxios@0.30.4 - Any reference to
plain-crypto-js(strongest signal — this package should not exist in your tree at all)
- Pin axios to a safe version (e.g.
1.13.6) inpackage.json, or use anoverridesblock:"overrides": { "axios": "1.13.6" }
- Delete
node_modulesand the lockfile, then reinstall clean. - Rotate secrets that touched the affected machine or CI runner: npm tokens, SSH keys, cloud credentials,
.envvalues, browser sessions. - Treat the host as potentially compromised — scan for unknown outbound connections and review
postinstalllogs since 2026-03-31. Ideally reimage dev/CI machines that ran the bad install.
MIT. Share freely.