Skip to content

mbfromit/NPM-Axios-Python

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
checks
checks
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
axios_scanner.py
axios_scanner.py
 
 

Repository files navigation

Axios NPM Supply Chain Compromise Scanner — Linux/Python Port

A forensic scanner for the Axios NPM supply chain attack discovered in March 2026, ported from PowerShell to Python 3.9 for Linux environments.

Further reading: Axios Supply Chain Attack Pushes Cross-Platform Malware — The Hacker News

The Attack

In late March 2026, malicious versions of the popular axios npm package (1.14.1 and 0.30.4) were published to the npm registry. These versions included a dependency on plain-crypto-js@4.2.1, a package that runs a postinstall dropper script (setup.js) on installation.

The dropper:

  • Exfiltrates credentials (SSH keys, GitHub tokens, .npmrc, AWS/GCP keys, kubeconfig)
  • Installs a persistent backdoor via cron, systemd timers, or shell RC injection
  • Establishes an encrypted C2 (command-and-control) channel to sfrclak.com / 142.11.206.73:8000 using XOR encoding (key: OrDeR_7077)
  • Drops ELF binaries or scripts in temp directories for later execution

Any developer who ran npm install with an affected axios version between 2026-03-31 00:21 UTC and patch availability should consider their machine compromised and all credentials on it exposed.

Requirements

  • Python 3.9 or later
  • Standard library only — no pip install required
  • Linux (Ubuntu, Debian, RHEL, Arch, etc.)
  • npm installed (optional — checks 4 and its sub-checks degrade gracefully if absent)
  • ss command available (optional — falls back to /proc/net/tcp if absent)

How to Run

Quick scan (scans your home directory)

python3 axios_scanner.py --path ~

Full system scan

python3 axios_scanner.py

Defaults to / and expands it to all top-level directories, skipping /proc, /sys, /dev, /run, and /snap. You will be prompted to confirm before the scan starts.

Targeted scan

python3 axios_scanner.py --path /home/user/projects /opt/apps

All options

usage: axios_scanner.py [-h] [--path PATH [PATH ...]] [--output DIR] [--threads N]

optional arguments:
  --path PATH [PATH ...]  Paths to scan (default: /)
  --output DIR            Output directory for reports (default: /tmp)
  --threads N             Parallel threads for checks 2 & 3 (default: 4)

Run the test suite

python3 -m unittest discover -s tests -t . -v

Exit codes

Code Meaning
0 Clean — no evidence of compromise found
1 Compromised — one or more checks found evidence

What the Scanner Does — 9 Checks + Reports

Check 1 — Node.js Project Discovery

Walks the specified paths looking for package.json files to identify all Node.js projects present on the system. Directories named node_modules are skipped to avoid false positives inside dependency trees. The discovered project list is passed to Checks 2 and 3.

Checks 2 & 3 — Lockfile Analysis + Forensic Artifacts (run in parallel)

Check 2 — Lockfile Analysis Reads the lockfile for each discovered project (package-lock.json, yarn.lock, or pnpm-lock.yaml) and checks whether the resolved axios version is one of the two malicious versions (1.14.1 or 0.30.4), and whether plain-crypto-js@4.2.1 (the dropper) is present. This is the primary indicator that a project installed the malicious package.

Check 3 — Forensic Artifacts Inspects each project's node_modules/plain-crypto-js/ directory for physical evidence:

  • Presence of the plain-crypto-js directory itself
  • SHA-256 hash of setup.js compared against the known malicious hash (e10b1fa8...) — a mismatch flags it as a possible variant
  • Scans all .js files in the project for embedded C2 indicators (sfrclak.com, 142.11.206.73)

Check 4 — npm Cache Scan

Scans the npm package cache (~/.npm/_cacache/index-v5) for cached tarballs of plain-crypto-js@4.2.1 and malicious axios versions. Also checks the global npm installation directory (npm root -g) for globally installed copies. Even if node_modules/ has been deleted, the cache may retain evidence of the attack.

Check 5 — Dropped Payload Detection

Scans temp directories (/tmp, /var/tmp, ~/.cache, ~/.local/share) for files created after the attack window start (2026-03-31 00:21 UTC):

  • ELF binaries (detected by the \x7fELF magic header) → Critical
  • Suspicious scripts (.sh, .py, .js, .pl) → High

Files pre-dating the attack window are ignored. Each flagged file includes its SHA-256 hash for further forensic analysis.

Check 6 — Persistence Mechanism Detection

Checks four locations for attacker-planted persistence, all filtered to entries modified after the attack window:

  • crontab -l — user's crontab for entries referencing /tmp, node, npm, or .js files
  • Cron files/etc/crontab, /etc/cron.d/, /etc/cron.daily/, /etc/cron.hourly/
  • Systemd user units~/.config/systemd/user/ for .service and .timer files with suspicious ExecStart= lines
  • Shell RC files~/.bashrc, ~/.bash_profile, ~/.profile, ~/.zshrc for injected PATH entries or loader commands

Check 7 — XOR-Encoded C2 Indicator Scan

The malware encodes its C2 callback data using XOR with key OrDeR_7077 and a bitmask of 333 & 0xFF (= 0x4D). This check scans binary and script files in temp and config directories, XOR-decodes their contents, and looks for the C2 domain (sfrclak.com) or IP (142.11.206.73) in the decoded output. Detection here means a dropped payload is actively configured to beacon home.

Check 8 — Network Evidence

Looks for evidence the C2 channel was or is active:

  • Active connections — runs ss -tnp (falls back to /proc/net/tcp) and checks for established connections to 142.11.206.73:8000Critical
  • Hosts file — reads /etc/hosts for entries mapping the C2 IP or domain → Critical
  • Syslog — scans /var/log/syslog and /var/log/auth.log for logged connections to either C2 indicator → High

Step 9 — Report Generation

Produces two output files in the specified --output directory (default /tmp), both set to chmod 600:

Technical Forensic Report (Axios-Scan-<hostname>-<timestamp>.txt) A full investigator-grade report covering all findings, IOC reference data, a list of credentials at risk, and step-by-step remediation instructions.

Executive Security Briefing (ExecBriefing-<hostname>-<timestamp>.txt) A non-technical summary showing a pass/fail table for all 8 checks, the overall verdict, and immediate action steps for security management. Includes a SHA-256 integrity hash of the technical report.

IOC Reference

Indicator Value
Malicious axios versions 1.14.1, 0.30.4
Dropper package plain-crypto-js@4.2.1
Known setup.js SHA-256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
C2 domain sfrclak.com
C2 IP 142.11.206.73
C2 port 8000
XOR key OrDeR_7077
XOR mask 333 & 0xFF = 0x4D
Attack window start 2026-03-31 00:21 UTC

If Compromised

Immediate actions:

  1. Disconnect the machine from the network
  2. Do not continue using the machine for any work
  3. Notify your Security Incident Response team
  4. Preserve a forensic disk image before making changes

Within 24 hours — rotate all credentials on this machine:

  • SSH private keys
  • GitHub / GitLab / Bitbucket personal access tokens
  • npm publish tokens
  • AWS / GCP / Azure access keys
  • Kubernetes kubeconfig tokens
  • Docker registry credentials
  • Any secrets in .env files

Lockfile cleanup (even if clean — remove the malicious version):

npm install axios@latest
npm cache clean --force
rm -rf node_modules
npm install

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages