Secure Your Claude Desktop
in 60 Seconds
The March 31, 2026 supply chain attack compromised npm packages used by thousands of developers. 0nDefender stops it before it starts.
What Happened on March 31, 2026
Attackers published compromised versions of axios@1.14.1 and axios@0.30.4 to npm. The packages contained a Remote Access Trojan (RAT) payload hidden inside a transitive dependency called plain-crypto-js. The payload executed via a postinstall script, exfiltrating environment variables, SSH keys, and API credentials to an external server.
Any developer who ran npm install in a project using those axios versions was compromised. MCP server operators were particularly vulnerable because their environments contain API keys for dozens of connected services.
| Attack Vector | Unprotected | With 0nDefender |
|---|---|---|
| Malicious npm package | Installs silently | BLOCKED before install |
| Compromised dependency | Runs undetected | Scanned every 6 hours |
| Stolen API keys | Discovered after breach | Health-checked every 12 hours |
| Typosquatting attack | No detection | Pattern-matched and warned |
4 Security Layers. Zero Cost.
Every layer ships free with 0nMCP. MIT licensed. No sign-up required.
0nWatch
Supply Chain Monitor
Continuously scans your npm dependency tree against the npm advisory database, GitHub Security Advisories, and known-malicious package registries. Runs every 6 hours automatically. Catches compromised packages before they reach production.
0nVaultGuard
Key Health Verification
Checks every API key in your environment to verify it is still valid, has not been revoked, and has not been exposed in known breach databases. Runs every 12 hours. Uses zero-knowledge probing — your keys never leave your machine.
0nSeal
Lockfile Integrity
A preinstall hook that validates your package-lock.json against known-safe hashes before npm touches a single file. Blocks malicious packages BEFORE npm install runs. This single layer would have stopped the March 2026 axios attack.
0nAlert
Threat Notifications
Real-time alerts via email, Slack, or Discord when a vulnerability is detected in your dependency tree, when an API key fails a health check, or when a lockfile integrity mismatch is found. You know the moment something is wrong.
Install in 60 Seconds
Three steps. Copy, paste, protected.
Install 0nMCP globally
npm install -g 0nmcp 0nmcp engine verify
Add to your Claude Desktop MCP config
{
"mcpServers": {
"0nMCP": {
"command": "npx",
"args": ["-y", "0nmcp"]
}
}
}Add the preinstall hook to any project
Add this to any project's package.json to block malicious packages before they install:
{
"scripts": {
"preinstall": "npx 0nmcp@latest defender scan --lockfile"
}
}Done. Your MCP server and every project with the preinstall hook are now protected by 4 security layers.
Frequently Asked Questions
Is 0nDefender really free?+
Yes, completely free. 0nDefender is MIT licensed and ships as part of 0nMCP. No sign-up required. No credit card. No usage limits. Run npx 0nmcp@latest and you are protected.
Does it slow down npm install?+
No. The preinstall hook adds less than 2 seconds to your npm install. It scans only the lockfile and cross-references against a local advisory cache. The dependency scan runs asynchronously and does not block your workflow.
What attacks does 0nDefender protect against?+
Supply chain attacks (compromised npm packages), typosquatting attacks (malicious packages with names similar to popular ones), credential theft (stolen API keys and tokens), and compromised dependencies (legitimate packages that have been hijacked). It would have blocked the March 2026 axios RAT attack entirely.
Does it work with other MCP servers?+
Yes. 0nDefender protects any Node.js project, not just MCP servers. The preinstall hook works in any package.json. The credential health checker works with any API keys stored in .env files or 0nVault containers.
How does it detect malicious packages?+
Three mechanisms: (1) Pattern matching against known malicious package versions from the npm advisory database, (2) Lockfile integrity hash verification to detect tampering between installs, and (3) Behavioral analysis of postinstall scripts that attempt network access, file system writes outside node_modules, or process spawning. The March 2026 axios attack used a postinstall script — 0nSeal would have flagged and blocked it before execution.
Want the Full Platform?
0nDefender is free and always will be. The full 0nMCP platform gives you 1,183 tools across 99 services with AI orchestration, encrypted vault storage, and metered execution.
npx 0nmcp@latest
0nMCP is open source (MIT). 0nDefender is included. 5 provisional patent applications covering 15+ distinct inventions filed with USPTO.
RocketOpp LLC · 2026