Axios npm Supply Chain Attack: When 100M Weekly Downloads Get Compromised
The Axios npm package was compromised with a remote access trojan that exfiltrated source files. Here is what happened and why code mutation is your last line of defense.
The Attack That Hit 100 Million Weekly Downloads
In 2025, the Axios npm package -- one of the most widely used HTTP client libraries in the JavaScript ecosystem with over 100 million weekly downloads -- was compromised. Malicious versions 1.14.1 and 0.30.4 were published with a dependency on a package called "plain-crypto-js" that contained a remote access trojan (RAT).
This was not a theoretical vulnerability. The RAT had real capabilities:
- **runscript**: Execute arbitrary commands on the developer's machine - **peinject**: Inject code into running processes - **rundir**: Enumerate and exfiltrate directory contents - **kill**: Terminate processes to cover tracks
On installation, the malicious postinstall script sent a "FirstInfo" beacon to the attacker's command-and-control server. The beacon included the machine's unique identifier, operating system details, and a snapshot of directory structures -- effectively mapping out every project on the developer's machine.
The Supply Chain Attack Pattern
This attack followed a pattern that has become disturbingly common in the npm ecosystem:
1. Compromise a widely-used package (or publish a typosquat) 2. Add a dependency that looks legitimate ("plain-crypto-js" sounds like a crypto utility) 3. Use the postinstall hook to execute code immediately on `npm install` 4. Establish persistence and begin exfiltration
What makes supply chain attacks uniquely dangerous for AI-era development is the combination: the RAT has access to your source files AND your developers are actively sending those files to AI APIs. The attacker gets your code from two vectors simultaneously.
---
What the Axios RAT Actually Stole
The `rundir` capability is the one that should terrify every engineering leader. It did not just list file names. It captured directory structures with enough detail to understand your project architecture:
// What the RAT's rundir command exfiltrated
{
"uid": "a4f2b9c1-machine-id",
"os": "darwin-arm64",
"dirs": [
{
"path": "/Users/dev/company/payment-service",
"files": [
"src/processors/StripePaymentProcessor.ts",
"src/processors/PayPalGatewayAdapter.ts",
"src/fraud/RealTimeFraudScorer.ts",
"src/fraud/ChargebackPredictor.ts",
"src/webhooks/StripeWebhookHandler.ts",
"src/models/TransactionLedger.ts"
]
}
]
}Even without reading the file contents, that directory listing reveals: your payment providers (Stripe and PayPal), your fraud detection approach (real-time scoring with chargeback prediction), and your internal architecture (processor pattern with adapters). A competitor or attacker can reconstruct your technical strategy from file names alone.
Now imagine the RAT also exfiltrates actual file contents using `runscript`. The attacker gets your complete source code -- variable names, business logic, proprietary algorithms, API keys embedded in config files.
---
Why Pre-Commit Scanning Matters
The first defense layer is catching compromised dependencies before they enter your codebase. Pretense's scanner detects suspicious patterns in newly-installed packages:
Scanning node_modules for suspicious patterns...
CRITICAL: plain-crypto-js@1.0.3 - postinstall script detected: "node scripts/setup.js" - Network calls to unknown host: 45.76.xxx.xxx - File system enumeration: fs.readdirSync used recursively - Process injection: child_process.exec with encoded payload
Recommendation: Remove immediately. Run: npm uninstall plain-crypto-js
WARNING: axios@1.14.1 - New dependency added: plain-crypto-js (not in previous lockfile) - Version published < 24 hours ago - Maintainer account activity anomaly detected
Recommendation: Pin to axios@1.13.7 until verified ```
But pre-commit scanning is only the first layer. Supply chain attacks are an arms race -- attackers constantly evolve their techniques to evade detection. You need a defense that works even when a RAT successfully installs and begins exfiltrating.
---
Code Mutation: Your Last Line of Defense
Here is the critical insight: even if a supply chain attack successfully compromises a developer's machine and exfiltrates source files, Pretense's mutation map means the stolen code is far less valuable.
When Pretense is active, the source files on disk contain your real identifiers. But every AI interaction has already been logged and mapped. If an attacker steals your source files, you have a complete audit trail of what identifiers exist in your codebase. More importantly, if the attacker tries to USE the stolen code with AI tools to understand or extend it, those interactions would also be mutated if they pass through any Pretense-protected network.
// Your actual source file (what the RAT steals)
export class StripePaymentProcessor {
async processPayment(order: Order): Promise<PaymentResult> {
const fraudScore = await this.fraudEngine.score(order);
if (fraudScore > FRAUD_THRESHOLD) {
return this.flagForReview(order);
}
return this.stripe.charges.create({
amount: order.totalCents,
source: order.paymentToken,
});
}// What the AI API sees (mutated by Pretense) export class _cls4f2a { async _fn7b3c(_v2d4e: _cls8a1b): Promise<_cls3c5d> { const _v9e6f = await this._v1a2b._fn4c5d(_v2d4e); if (_v9e6f > _v7d8e) { return this._fn2e3f(_v2d4e); } return this._v5f6a._v8b9c._fn1d2e({ amount: _v2d4e._v3e4f, source: _v2d4e._v6a7b, }); } } ```
The mutation creates a semantic gap. Even if an attacker has your real source files from the RAT AND intercepts your AI traffic, the two data sets do not correlate without the mutation map -- which never leaves your machine.
---
The Defense-in-Depth Stack
Supply chain attacks require defense in depth. No single tool stops everything. Here is the layered approach:
**Layer 1: Lockfile integrity.** Use `npm ci` instead of `npm install`. Pin exact versions. Review lockfile diffs in every PR.
**Layer 2: Pre-commit scanning.** `pretense scan pre-commit` detects suspicious postinstall scripts, unexpected network calls, and anomalous package additions.
**Layer 3: Runtime mutation.** Every AI API call goes through Pretense proxy. Even if malware is present on the machine, AI interactions are protected.
**Layer 4: Audit trail.** Complete log of every identifier mutation, every AI request, every file scanned. When incident response begins, you have the forensics.
# Full defense setup
pretense init # Scan codebase, build mutation profile
pretense start # Start proxy on localhost:9339
echo 'pretense scan pre-commit' >> .husky/pre-commit # Pre-commit hook---
Supply Chain Attacks Are Getting More Sophisticated
The Axios incident is not an isolated event. In 2024-2025 alone, we saw compromises of event-stream, ua-parser-js, colors.js, and dozens of other popular packages. The npm ecosystem's trust model -- where any maintainer can publish any code at any time -- is fundamentally incompatible with the security requirements of enterprise software development.
When you combine supply chain risk with AI tool adoption, the attack surface multiplies. A single compromised dependency can simultaneously steal your source code AND observe how your developers interact with AI tools.
Pretense cannot prevent supply chain attacks. No single tool can. But it ensures that even when an attacker succeeds in compromising your development environment, the data they steal from AI interactions is synthetic, and your real code identifiers remain protected behind a mutation map that never leaves your infrastructure.
Protect Your Code Today
Pretense is the AI firewall that mutates proprietary code before it reaches any LLM API. Install in 30 seconds and protect your team's intellectual property.
curl -fsSL https://pretense.ai/install.sh | sh
pretense init
pretense startShare this article