The March 2026 Supply Chain Attack — And How 0nDefender Stops It

0nMCP v2.9.1 · 900+ tools · 55 services · Patent Pending RocketOpp LLC · 0nmcp.com

BLUF: On March 31, 2026, attackers published compromised versions of axios — the most popular HTTP client on npm with 45 million weekly downloads — containing a Remote Access Trojan. Thousands of developers installed it before npm pulled the versions 6 hours later. Every one of them had their environment variables, SSH keys, and API credentials exfiltrated. 0nDefender would have blocked the attack at the preinstall step. It is free, open source, and you can install it in 60 seconds.

What Happened on March 31

At approximately 08:14 UTC on March 31, 2026, two new versions appeared on the npm registry:

• axios@1.14.1
• axios@0.30.4

Neither version was published by the axios maintainers. The attacker had compromised an npm account with publish access to the axios package — likely through credential stuffing or a phished authentication token.

The versions looked legitimate. The package.json was nearly identical to the real releases. The source code in lib/ was untouched. Automated tests would pass. Linters would not flag anything.

The payload was hidden in a new transitive dependency: plain-crypto-js.

How the Attack Worked

The compromised axios versions added plain-crypto-js as a dependency. This package — published by the same attacker minutes before the axios versions — contained a postinstall script in its package.json:

{
"scripts": { "postinstall": "node ./setup.js" } } 

The setup.js file looked innocuous at first glance — variable names suggested it was a cryptography setup routine. But it executed the following sequence:

1. Environment harvest: Read every environment variable from process.env and serialized them to a buffer
2. SSH key theft: Read ~/.ssh/id_rsa, ~/.ssh/id_ed25519, and any other files in ~/.ssh/ matching key patterns
3. Credential file scan: Scanned common locations for .env, .env.local, .npmrc, claude_desktop_config.json, and other credential stores
4. Exfiltration: Sent the collected data to an attacker-controlled endpoint disguised as a telemetry ping to a domain that looked like an npm analytics service
5. Cleanup: Deleted the setup.js file and the plain-crypto-js directory from node_modules to cover its tracks

The entire sequence took less than 3 seconds. By the time npm install finished, the malware had already exfiltrated credentials and removed evidence of its existence.

Why MCP Server Operators Were the Biggest Targets

Developers running MCP servers are uniquely vulnerable to supply chain attacks. Their environments typically contain:

• API keys for 10-50 connected services (Stripe, OpenAI, Anthropic, databases, CRMs)
• OAuth tokens with broad scopes
• Database connection strings with full read/write access
• MCP server configurations that describe the entire tool surface area
• Claude Desktop configs that expose which AI capabilities are available

A single compromised npm install on an MCP server operator's machine could yield credentials worth tens of thousands of dollars in unauthorized API usage — or worse, full access to client data across every connected service.

The axios attacker knew this. The domains they used for exfiltration were registered on March 28, three days before the attack, and the data collection was specifically tuned for .env files and MCP configurations.

How to Check If You Were Affected

Run these commands in your terminal:

# Check if you have the compromised versions in any project
find ~/projects -name 'package-lock.json' -exec grep -l '"axios": "1.14.1\|0.30.4"' {} \;

Check npm cache for the malicious packages
npm cache ls 2>/dev/null | grep 'plain-crypto-js'

Check if the exfiltration domain was contacted (macOS)
grep -r 'npm-telemetry-analytics' ~/Library/Logs/ 2>/dev/null

Verify your current axios version is clean
npm ls axios 2>/dev/null 

If you find any matches: rotate every API key, SSH key, and token on that machine immediately. Assume full compromise. The attacker had your credentials for up to 6 hours before npm pulled the packages.

How 0nDefender Would Have Stopped It

0nDefender has four security layers. The axios attack would have been caught by three of them independently.

Layer 1: 0nSeal — Lockfile Integrity (Would Have Blocked It)

0nSeal runs as a preinstall hook — before npm downloads or executes anything. It:

1. Reads your package-lock.json
2. Computes integrity hashes for every resolved package
3. Cross-references those hashes against its known-safe registry
4. Flags any package version that does not match known-good hashes

When axios@1.14.1 appeared in the lockfile, 0nSeal would have detected that this version's integrity hash did not match the axios maintainers' published hashes. The install would have been blocked with a clear warning:

[0nSeal] BLOCKED: axios@1.14.1 integrity mismatch
Expected: sha512-abc123... Got:      sha512-xyz789... This version may have been tampered with. Run with --force to override (not recommended). 

The attack stops here. The postinstall script in plain-crypto-js never runs because npm never downloads it.

Layer 2: 0nWatch — Supply Chain Monitor (Would Have Flagged It)

0nWatch runs on a 6-hour scan cycle. Even if 0nSeal had been bypassed, 0nWatch would have flagged the plain-crypto-js dependency within its next scan cycle:

• New, previously unseen dependency with fewer than 24 hours on npm
• Published by an account with no prior publish history
• Contains a postinstall script (a known attack vector)
• Package name is a variation of an existing package (crypto-js)

All four signals together would trigger a critical alert.

Layer 3: 0nVaultGuard — Key Health Verification (Would Have Detected the Breach)

0nVaultGuard checks API key health every 12 hours. If the attack had somehow succeeded, VaultGuard would detect the aftermath:

• Sudden spike in API usage on keys that should be idle
• Authentication from IP addresses that don't match your known locations
• Key revocation by services that detected abuse

This is the last line of defense — detecting that a breach has occurred even when prevention layers were bypassed.

Layer 4: 0nAlert — Threat Notifications

0nAlert ties the other three layers together with real-time notifications. The moment 0nSeal blocks a package, 0nWatch flags a suspicious dependency, or 0nVaultGuard detects credential abuse — you get an alert via email, Slack, or Discord.

No checking dashboards. No reviewing logs after the fact. Immediate notification at the moment of detection.

The Preinstall Hook: Why It Matters

The critical insight is timing. The axios attack used a postinstall script — code that runs after npm has already downloaded and installed the package. By the time the malicious code executes, it is already on your machine.

0nSeal runs as a preinstall hook. It executes before npm resolves, downloads, or installs anything. The attack surface never materializes because the malicious package never arrives.

This is not a scan-after-the-fact approach. This is prevention at the gate.

Adding it to any project takes one line in package.json:

{
"scripts": { "preinstall": "npx 0nmcp@latest defender scan --lockfile" } } 

Install 0nDefender in 60 Seconds

Step 1: Install 0nMCP

npm install -g 0nmcp

Step 2: Verify your environment

0nmcp engine verify

This checks all API keys in your environment and reports their health status.

Step 3: Add to Claude Desktop

Add to your claude_desktop_config.json:

{
"mcpServers": { "0nMCP": { "command": "npx", "args": ["-y", "0nmcp"] } } } 

Step 4: Add preinstall hook to your projects

{
"scripts": { "preinstall": "npx 0nmcp@latest defender scan --lockfile" } } 

Done. Four security layers. Active protection. Zero cost.

The Bigger Problem: MCP Servers Need Security Standards

The axios attack was not the first supply chain attack and it will not be the last. The npm ecosystem processes over 2.1 billion downloads per week. The surface area for supply chain attacks grows with every new package.

MCP servers amplify this risk because they aggregate credentials. A single MCP server environment might hold API keys for Stripe, OpenAI, Anthropic, Supabase, a CRM, email services, social media platforms, and cloud infrastructure. Compromising one developer's MCP environment can yield access to dozens of production systems.

The AI tooling ecosystem needs security standards. Not guidelines. Not best practices documents. Actual tools that enforce security at the package level, the credential level, and the runtime level.

0nDefender is our contribution. It is free. It is open source. It is MIT licensed. And it works today.

What Comes Next

0nDefender ships as part of 0nMCP. The full platform includes:

• 0nVault: AES-256-GCM encrypted credential storage with hardware fingerprint binding
• 0nVault Containers: 7-layer encrypted business operations packaging (Patent Pending #63/990,046)
• Seal of Truth: SHA3-256 content-addressed integrity verification
• Zero-Knowledge Capability Proxy: AI tools execute without ever seeing your credentials

The security problem in AI tooling is not going to be solved by one tool or one company. But it starts with taking the problem seriously and shipping solutions that work.

Secure your Claude Desktop now | Star 0nMCP on GitHub | Get the full platform

RocketOpp LLC | Patent Pending: #63/968,814 | #63/990,046 | #64/006,268 | #64/006,282 0nMCP is open source (MIT). 0nDefender is included.