www.elastic.co 3/31/2026, 4:16:55 PM · via preferred

Elastic releases detections for the Axios supply chain compromise

Elastic releases detections for the Axios supply chain compromise
Developing story malware 2 articles tracked
Axios npm package supply chain compromise delivering a remote access trojan
CyberSIXT Evidence Panel Source marked as original reporting

ELASTIC Security Labs is releasing an initial triage and detection rules for the Axios supply-chain compromise, with a detailed analysis to follow in a future publication. According to Elastic Security Labs, they filed a GitHub Security Advisory to the axios repository on 31 March 2026 at 01:50 AM UTC to coordinate disclosure and act on the compromised versions.

The campaign involves malicious Axios package versions, notably 1.14.1 and 0.30.4, which pull a transitive dependency, plain-crypto-js@4.2.1, that executes during postinstall to deploy a second-stage payload across Linux, Windows and macOS.

Across platforms, the pattern begins with a Node[.]js process spawning an OS-native execution path to fetch a remote payload and then detaching or hiding the subsequent activity, with Linux showing a curl/wget-based download and nohup backgrounding, Windows using a renamed PowerShell proxy, and macOS executing AppleScript before launching a Mach-O backdoor. Elastic detections focus on the delivery stage, emphasising process ancestry, network retrieval, and detached execution rather than static indicators.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline