Axios Compromised on NPM – Malicious Versions Drop Remote Access Trojan
5 hours ago
- #npm-compromise
- #supply-chain-security
- #malware-analysis
- Malicious versions [email protected] and [email protected] were published on March 31, 2026, using a compromised npm account, bypassing normal CI/CD.
- The attack injected a dependency, [email protected], with a postinstall script that deployed a cross-platform RAT dropper targeting macOS, Windows, and Linux.
- The malware contacted a command-and-control server at http://sfrclak.com:8000/6202033, delivered second-stage payloads, and self-deleted to evade detection.
- Indicators of compromise include specific file paths, network domains, and attacker-controlled accounts, with safe versions being [email protected] and [email protected].
- Remediation steps involve downgrading axios, removing plain-crypto-js, rotating credentials, and using security tools like StepSecurity for prevention and detection.