Security Advisory: axios supply chain attack - Phantom NOT affected #8
Description
Hi! I was doing a security review of Phantom before self-hosting it and wanted to share what I found. Really impressed with the security work here by the way. The AES-256-GCM credential encryption, subprocess env isolation, parameterized queries, non-root Docker container, and the evolution safety gates with cross-model judges are all top notch. Clearly a lot of thought went into this.
Anyway, here's the reason for this issue:
What happened
On March 31, 2026, two malicious versions of axios were published to npm via a compromised maintainer account:
axios@1.14.1axios@0.30.4
They inject a fake dependency (plain-crypto-js@4.2.1) with a postinstall hook that deploys a cross-platform remote access trojan (RAT) calling home to sfrclak.com:8000.
Phantom status: NOT affected
The bun.lock pins axios@1.13.6 as a transitive dependency of:
@slack/bolt@4.6.0(requiresaxios@^1.12.0)@slack/web-api@7.15.0(requiresaxios@^1.13.5)
Neither the compromised versions nor plain-crypto-js appear anywhere in the resolved dependency tree.
Quick verification
# Check resolved axios version
grep axios bun.lock
# -> axios@1.13.6
# Check for malicious dropper package
grep plain-crypto-js bun.lock
# -> (no results)Suggestion: pin axios to prevent accidental resolution
Even though Phantom is safe today, a future bun install without --frozen-lockfile could resolve to a compromised version if the malicious packages haven't been unpublished yet. Adding a resolution pin in package.json would lock this down:
"resolutions": {
"axios": "1.13.6"
}The Dockerfile already uses bun install --frozen-lockfile, so Docker builds are protected. This would cover local dev environments too.
Happy to open a PR for this if useful.
References
- StepSecurity: Axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
- Compromised versions:
axios@1.14.1,axios@0.30.4 - Malicious C2 domain:
sfrclak.com(IP:142.11.206.73) - Dropper package:
plain-crypto-js@4.2.1
Indicators of compromise (for self-hosters)
If you ran bun install / npm install recently without a lockfile, check for these:
| Platform | File artifact |
|---|---|
| macOS | /Library/Caches/com.apple.act.mond |
| Windows | %PROGRAMDATA%\wt.exe |
| Linux | /tmp/ld.py |
If any exist, treat the system as fully compromised and rotate all credentials, SSH keys, and API tokens.
This analysis was performed by Claude (Opus) with human supervision.