[IMPORTANT] Security Update: RTILA is Not Affected by the Axios Supply Chain Attack

Official Announcements
1

rtila-x-security-status-safe-from-axios-supply-chain-attack.jpg
rtila-x-security-status-safe-from-axios-supply-chain-attack.jpg1024×1024 214 KB

RTILA users are safe. No action required on your end.

You may have seen the news about the supply chain attack that hit Axios, one of the most popular JavaScript HTTP clients out there (100M+ weekly npm downloads). On March 31, 2026, attackers hijacked the lead maintainer’s npm account and pushed two malicious versions: axios@1.14.1 and axios@0.30.4. Anyone who ran npm install during that window unknowingly got a cross-platform remote access trojan (RAT) installed on their machine. Trend Micro published a thorough technical writeup if you want to go deep: Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads

As soon as we heard about this, we checked our dependency tree. RTILA is not affected.

Here’s what we verified:

  • :white_check_mark: Our builds do not pull axios@1.14.1 or axios@0.30.4
  • :white_check_mark: No trace of plain-crypto-js (the malicious phantom dependency) in our node_modules or lockfiles
  • :white_check_mark: None of our CI/CD pipelines ran npm install during the exposure window (March 31, 00:21 to 03:30 UTC)
  • :white_check_mark: No outbound connections to the attacker’s C&C infrastructure (sfrclak.com) detected

What actually happened

The attackers got into the lead maintainer’s npm account, changed the email to one they controlled, then manually published two poisoned versions using a stolen npm token. This let them skip the OIDC Trusted Publisher check that legitimate Axios releases go through, so nothing showed up in the GitHub repo at all.

The actual payload was hidden inside a fake dependency called plain-crypto-js@4.2.1. It was never used anywhere in the Axios code, it just sat in package.json so npm would automatically install it and trigger its postinstall hook. Once it ran, it deployed the RAT and then deleted itself, swapping in a clean-looking file so nothing seemed off on inspection.

Automated scanners caught it within 6 minutes and npm pulled the packages in about 3 hours, but the window was real.

We’re dropping Axios in the next update

We weren’t hit this time, but this incident showed how quickly things can go wrong when a single account gets compromised, no matter how trusted the package is. We’d rather not sit on that risk.

We’ve decided to remove Axios from RTILA’s codebase completely in an upcoming update. We’ll replace it with a lighter alternative and share more details, including which release this lands in, as we get closer.

In the meantime, here’s what we’ve tightened up

  • Exact version pinning across all dependencies, no more caret ranges in production
  • npm ci --ignore-scripts enforced in all CI/CD pipelines
  • Lockfile auditing on every dependency update
  • Network egress monitoring across our build environments

We’re posting this because you deserve to know what’s going on under the hood, not because there’s anything you need to do. Feel free to ask anything in the replies.

The RTILA Team

1 Like