Apifox CDN script stole developer secrets

Apifox is an API development client, so it sits close to secrets. Developers use it with access tokens, API keys, Git credentials, SSH keys, npm tokens, and Kubernetes configuration. In March 2026, a script loaded by the desktop client became the delivery path.

The compromised file was apifox-app-event-tracking.min.js on Apifox's official CDN. It was supposed to be event-tracking code. The malicious version appended heavily obfuscated JavaScript to the legitimate analytics logic, so the Electron client executed it automatically at startup or during runtime.

The payload read Apifox local storage, enumerated processes with ps aux or tasklist, and targeted developer files such as ~/.ssh/, ~/.git-credentials, shell history, kubeconfig data, .npmrc, and Subversion credentials. It sent stolen data over encrypted channels and could retrieve and execute additional code.

SlowMist reported the attack on March 26, 2026. Kudelski later summarized the exposure window as March 4 through March 22 and treated all users who launched the desktop client during that period as potentially affected. The practical response was secret rotation, session invalidation, local storage cleanup, and network blocking of the attacker domains.

Motive

Credential Theft

Cause

Compromised Cdn Script

Transitive

No

• Security Alert: Supply Chain Attack on Apifox Desktop Client via Compromised Official CDN Scriptslowmist.medium.com
• Apifox Supply Chain Attackkudelskisecurity.com