Compromised npm Account Exploits Axios Supply Chain with Cross-Platform RAT
A high-profile npm supply-chain incident affected the Axios HTTP client this week. Two published releases included a malicious dependency that acted as a cross-platform RAT. Security firms traced the changes to a compromised npm account belonging to the primary maintainer, jasonsaayman.
What happened
Versions 1.14.1 and 0.30.4 of Axios introduced [email protected] as a fake runtime dependency. The injected package ran a postinstall script that deployed platform-specific payloads. StepSecurity and other researchers found the new releases were published with hijacked credentials.
Scope and significance
Axios is widely used, with over 83 million weekly downloads. The library supports frontend, backend, and enterprise projects. A successful compromise of Axios thus poses broad risks across the JavaScript ecosystem.
How the malware operated
An obfuscated Node.js dropper named setup.js executed on install. It branched to different second-stage payloads based on the host OS. The dropper contacted a command-and-control server to retrieve platform-specific RAT components.
After execution, the installer removed forensic traces. It deleted the postinstall hook, swapped package manifests, and removed temporary files. These cleanup steps were designed to hide the infection.
Platform attack paths
- macOS: An AppleScript fetched a trojan from sfrclak[.]com:8000, saved it to /Library/Caches/com.apple.act.mond, made it executable, and launched it via /bin/zsh.
- Windows: The dropper copied PowerShell to %PROGRAMDATA%wt.exe, wrote and ran a VBScript, and fetched a PowerShell RAT from the same server.
- Linux/other: The dropper used execSync to fetch a Python RAT, saved it as /tmp/ld.py, and executed it with nohup.
Technical details and capabilities
The macOS second-stage is a C++ RAT. It fingerprints systems and beacons the C2 every 60 seconds. Commands include running binaries, executing shell commands, enumerating files, and terminating the RAT. SafeDep found the Linux RAT supports similar commands.
Researchers noted no built-in persistence. The malware did not survive reboots by itself. That suggests the attacker aimed for rapid exfiltration or intended to use the RAT to deploy persistence later.
Timeline of events
| Date (UTC) | Event |
|---|---|
| 2026-03-30 05:57 | [email protected] published (clean). |
| 2026-03-30 23:59 | [email protected] published with payload. |
| 2026-03-31 00:21 | [email protected] published with injected dependency. |
| 2026-03-31 01:00 | [email protected] published with injected dependency. |
Account takeover and indicators
Investigators say the attacker changed the maintainer account email to a ProtonMail address, [email protected]. The malicious plain-crypto-js package was published by user nrwise ([email protected]). The actor likely used a long-lived classic npm token to publish directly.
Each platform sent a distinct POST body to a single C2 endpoint. The endpoints mapped to packages.npm.org/product0, product1, and product2 for macOS, Windows, and Linux respectively.
Collateral packages and vendor tampering
Socket reported two additional packages distributing the same payload via vendored dependencies.
- @shadanai/openclaw vendored plain-crypto-js directly inside its files tree.
- @qqbrowser/[email protected] shipped a tampered [email protected] inside node_modules with plain-crypto-js injected.
Real axios normally lists three dependencies: follow-redirects, form-data, and proxy-from-env. The extra plain-crypto-js entry is clear tampering.
Actions for developers and operators
Users with [email protected] or [email protected] should assume compromise. Immediate secrets rotation is required for affected systems. Downgrade to [email protected] or [email protected].
- Remove plain-crypto-js from node_modules.
- Search for RAT artifacts: /Library/Caches/com.apple.act.mond, %PROGRAMDATA%wt.exe, /tmp/ld.py.
- If artifacts exist, rotate all credentials and treat systems as breached.
- Audit CI/CD runs that may have installed the compromised versions.
- Block egress to sfrclak[.]com.
Assessment
Researchers stressed that the attack exploited a compromised npm account and the npm postinstall lifecycle. No malicious code was added to Axios source files. The compromise abused the supply chain instead.
Filmogaz.com recommends teams prioritize audits and credential rotations. The incident underscores the danger of transitive dependencies and automated install scripts. Vigilance is essential across development and deployment pipelines.
