The Axios Attack Wasn't in Any CVE Database. Your Scanner Missed It.
The axios npm supply chain attack hit 100 million weekly downloads and lasted 3 hours. Here's why traditional vulnerability scanners couldn't catch it — and what would have.
On March 30th, axios — the HTTP client that’s in basically every JavaScript project — was compromised. Malicious versions were published to npm, got installed in CI/CD pipelines around the world, and delivered a remote access trojan to developer machines. The packages were live for about 3 hours before being pulled.
If you ran npm install that day, you may have a rat on your machine right now.
Here’s the part that matters for your security tooling: there was no CVE. There still isn’t.
What Actually Happened
An attacker social-engineered the maintainer, gained access to his npm account, and published axios versions 1.14.1 and 0.30.4. These versions contained a new dependency that had never existed before: plain-crypto-js@4.2.1. That package ran a postinstall script. The script downloaded and executed a cross-platform RAT — Windows, Linux, and macOS all covered.
100 million weekly downloads. One compromised maintainer account. Three hours.
Microsoft, SANS, Elastic, and Huntress have all published postmortems. The attack has been attributed to North Korean state actors (UNC1069, also tracked as Sapphire Sleet by Microsoft).
Why Your Scanner Missed It
npm audit, Snyk, Dependabot — they all check your packages against known vulnerability databases. CVE-2024-whatever, advisory-whatever. They’re asking: “do we recognize this package as dangerous?”
They cannot ask: “did this package exist yesterday?”
plain-crypto-js@4.2.1 didn’t have a CVE. It wasn’t in the GitHub advisory database. It wasn’t in NVD. It was a brand new package with a deliberate typosquat name designed to look like the legitimate crypto-js. No vulnerability scanner could have flagged it, because no vulnerability scanner tracks package provenance over time.
What Would Have Caught It
An SBOM diff.
If you had a snapshot of your dependency tree from March 29th and compared it to March 30th, you’d have seen exactly one change: plain-crypto-js@4.2.1 appearing as a transitive dependency of axios. That’s not a known CVE. It’s an anomaly — a package that wasn’t there yesterday, that nobody asked to install, that had no prior existence on npm.
Continuous SBOM monitoring turns your dependency tree into a fingerprint. Any change to that fingerprint is a signal worth investigating.
The Practical Takeaway
Layer 2 security (CVE scanning) is necessary but not sufficient. The axios attack is a reminder that the most dangerous supply chain compromises don’t announce themselves in vulnerability databases — they show up as unexpected changes to your dependency graph.
OtterSight tracks your SBOM over time. When your dependency fingerprint changes, you find out. Join the waitlist — we’re building the alert that would have caught this.
In the meantime: check your lock files. If you ran npm install on March 30th, look for plain-crypto-js in your package-lock.json. If it’s there, assume compromise.