ELASTIC Security Labs is releasing an initial triage and detection rules for the Axios supply-chain compromise, with a detailed analysis to follow in a future publication. According to Elastic Security Labs, they filed a GitHub Security Advisory to the axios repository on 31 March 2026 at 01:50 AM UTC to coordinate disclosure and act on the compromised versions.
The campaign involves malicious Axios package versions, notably 1.14.1 and 0.30.4, which pull a transitive dependency, plain-crypto-js@4.2.1, that executes during postinstall to deploy a second-stage payload across Linux, Windows and macOS.
Across platforms, the pattern begins with a Node[.]js process spawning an OS-native execution path to fetch a remote payload and then detaching or hiding the subsequent activity, with Linux showing a curl/wget-based download and nohup backgrounding, Windows using a renamed PowerShell proxy, and macOS executing AppleScript before launching a Mach-O backdoor. Elastic detections focus on the delivery stage, emphasising process ancestry, network retrieval, and detached execution rather than static indicators.