The big npm incident from last week was the Axios compromise on March 31, 2026. The malicious releases were axios@1.14.1 and axios@0.30.4, and they pulled in a trojanized dependency, plain-crypto-js@4.2.1, which ran a postinstall hook and fetched a cross-platform RAT from sfrclak[.]com:8000. The bad versions were live for roughly 00:21–03:29 UTC on March 31, so in Greece that was about 03:21–06:29 on March 31. If your machine or CI ran a fresh install in that window and resolved one of those versions, you should treat it seriously. (Google Cloud)
What matters most is this: if your lockfile or install artifacts show axios@1.14.1, axios@0.30.4, or plain-crypto-js, the Axios maintainer’s own postmortem says to treat that machine as compromised, rotate every secret on it, and check for outbound traffic to sfrclak[.]com or 142.11.206.73 on port 8000. If you were pinned to a clean version and did not do a fresh install during the bad window, you are probably fine. (GitHub)
Use this triage in order.
- Check your repo and lockfiles
# npm
grep -R -nE '"axios"|plain-crypto-js' . 2>/dev/null | grep -E '1\.14\.1|0\.30\.4|plain-crypto-js'
# yarn
grep -R -nE 'axios@|plain-crypto-js' yarn.lock . 2>/dev/null | grep -E '1\.14\.1|0\.30\.4|plain-crypto-js'
# bun text lockfile
grep -R -nE 'axios|plain-crypto-js' bun.lock . 2>/dev/null | grep -E '1\.14\.1|0\.30\.4|plain-crypto-js'Snyk and the Axios postmortem both recommend checking lockfiles first, and Snyk also calls out Bun separately. (Snyk)
- Check whether the malicious dependency ever landed in
node_modules
npm ls plain-crypto-js 2>/dev/null
find . -type d -name "plain-crypto-js" 2>/dev/nullEven if the dropper cleaned up some files, the presence of plain-crypto-js is a strong signal that the malicious install path executed. (Snyk)
- Check machine-level IOCs
For macOS:
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null
ps aux | grep -v grep | grep com.apple.act.mond
lsof -i | grep ':8000'
grep -R "sfrclak.com\|142.11.206.73" ~/.zsh_history ~/.bash_history 2>/dev/nullFor Linux:
ls -la /tmp/ld.py 2>/dev/null
ps aux | grep -v grep | grep '/tmp/ld.py'
find /tmp -maxdepth 1 -type f | grep '/tmp/\.[A-Za-z0-9]\{6\}$'
ss -plant 2>/dev/null | grep ':8000'
grep -R "sfrclak.com\|142.11.206.73" ~/.bash_history ~/.zsh_history 2>/dev/nullFor Windows PowerShell:
Test-Path "$env:ProgramData\wt.exe"
Test-Path "$env:ProgramData\system.bat"
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object MicrosoftUpdate
Get-ChildItem $env:TEMP -Filter "6202033*" -Force -ErrorAction SilentlyContinue
Get-NetTCPConnection | Where-Object {$_.RemotePort -eq 8000}The main published artifacts are /Library/Caches/com.apple.act.mond on macOS, /tmp/ld.py on Linux, and %PROGRAMDATA%\wt.exe on Windows. Windows also had persistence via %PROGRAMDATA%\system.bat and the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate key. (Snyk)
- Check network evidence
Search EDR, proxy, firewall, DNS, or local logs for:
sfrclak.com 142.11.206.73 port 8000 http://sfrclak.com:8000/6202033
Microsoft published those as the key network indicators for this attack. (Microsoft)
- Check npm cache and CI runners too
This attack hit dev machines and CI/CD because it executed during install. If this happened in CI, rotate any secrets available to that runner, not just developer credentials. Vercel said they investigated and remediated on their side; the Axios maintainer explicitly says affected CI runners should have injected secrets rotated. (GitHub)
My blunt recommendation is this:
If you find only clean lockfiles and no IOC artifacts, that is reassuring but not perfect.
If you find plain-crypto-js, axios@1.14.1, axios@0.30.4, or any of the disk/network IOCs, assume compromise. Remove the machine from the network, rebuild or reimage it if possible, rotate npm/GitHub/cloud/API/SSH credentials, and invalidate any tokens that ever lived on that host. That is consistent with the maintainer guidance and multiple incident writeups. (GitHub)
If you want, I’ll turn this into a single copy-paste detection script for macOS/Linux or a PowerShell version for Windows.