CP
cyberpings
Malware & RansomwareHIGH

Axios npm Package Compromised - Supply Chain Attack Unveiled

Featured image for Axios npm Package Compromised - Supply Chain Attack Unveiled
SNSnyk Blog
axiosnpmremote access trojansupply chain attackplain-crypto-js
🎯

Basically, bad versions of a popular software package were uploaded, allowing hackers to access computers.

Quick Summary

Malicious Axios npm packages were published, injecting a remote access trojan. Developers and CI/CD systems are at risk. Immediate action is needed to secure your systems.

What Happened

On March 31, 2026, two malicious versions of the Axios npm package, a widely used JavaScript HTTP client, were briefly published to npm. These versions, 1.14.1 and 0.30.4, were uploaded via a compromised maintainer account. They contained a hidden dependency that deployed a cross-platform remote access trojan (RAT) to any machine that ran npm install during a two-hour window. The malicious packages were removed shortly after being detected, but the damage was already done for those who downloaded them.

The attack was not a case of a rogue dependency or typosquatting. Instead, the attacker gained direct publishing access to the official Axios package on npm. By adding a malicious dependency, plain-crypto-js@4.2.1, to the package.json of the new releases, they ensured that anyone who installed the affected versions would inadvertently execute a script that compromised their system.

Who's Being Targeted

The risk is particularly high for developers and CI/CD pipelines that do not pin their dependency versions. If your system ran npm install or npm update during the three-hour window when the malicious packages were live, you could be affected. Additionally, projects depending on other compromised packages, such as @qqbrowser/openclaw-qbot or @shadanai/openclaw, are also at risk, regardless of the time frame.

The malicious payload was designed to work across multiple operating systems, including macOS, Windows, and Linux. Each platform had a specific RAT that could execute arbitrary commands and communicate with a command and control server, making this a serious threat for many users.

Signs of Infection

If you suspect that your system may have been compromised, there are several indicators to look for. Each operating system has specific files and processes that can signal an infection:

  • macOS: Look for a binary at /Library/Caches/com.apple.act.mond.
  • Windows: Check for a PowerShell binary at %PROGRAMDATA% t.exe masquerading as Windows Terminal.
  • Linux: Inspect for a Python script located at /tmp/ld.py.

Additionally, keep an eye out for outbound connections to the command and control server at sfrclak.com:8000, as this could indicate active communication from a compromised machine.

How to Protect Yourself

If you are a user of the Axios package, immediate action is necessary. First, audit your lockfiles for the affected versions and rotate any secrets that may have been exposed. You can use tools like Snyk to check for vulnerabilities in your projects.

To mitigate risks, consider the following steps:

  1. Pin Axios to a known safe version in your package.json. Any version other than 1.14.1 or 0.30.4 is safe.
  2. Commit your lockfile and ensure that your CI/CD pipeline uses npm ci to maintain integrity.
  3. Implement security measures such as blocking the malicious plain-crypto-js dependency in your package manager.

By taking these precautions, you can significantly reduce the risk of falling victim to similar supply chain attacks in the future.

🔒 Pro insight: This incident highlights the vulnerabilities in npm's maintainer access protocols, necessitating stricter security measures for package management.

Original article from

SNSnyk Blog
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

npm - Major axios Package Backdoored to Deliver RAT

What Happened In a shocking supply chain attack, the popular npm package axios was compromised to deliver a remote access trojan (RAT). Attackers hijacked the maintainer's account and injected malicious code into two legitimate releases, specifically axios@1.14.1 and axios@0.30.4. This incident is considered one of the most impactful npm supply chain attacks to date, affecting a library that boasts

The Register Security·
HIGHMalware & Ransomware

Ransomware Trends in 2025 - Blending in is the Strategy

Ransomware tactics are evolving, blending in with normal user activity. Key sectors like manufacturing are at risk. Organizations must adapt their defenses to combat these sophisticated threats.

Cisco Talos Intelligence·
HIGHMalware & Ransomware

Google Drive - Detects Ransomware and Restores Files

Google Drive has launched ransomware detection and file restoration features. This helps users quickly recover from malware attacks, minimizing data loss and disruption. Organizations can now better protect their critical data with these advanced tools.

Help Net Security·
HIGHMalware & Ransomware

IRS Tax Filing Lures - Cybercriminals Push Malware Campaigns

Cybercriminals are exploiting tax season with organized phishing attacks. They impersonate the IRS to install malware and steal credentials. Awareness and training are key to staying safe.

Cyber Security News·
HIGHMalware & Ransomware

DeepLoad Malware - AI-Generated Evasion Targets Enterprises

DeepLoad malware is targeting enterprises with AI-driven evasion tactics. It's stealing credentials and spreading rapidly. Organizations must act fast to secure their networks.

Cyber Security News·
HIGHMalware & Ransomware

RoadK1ll Malware - New Threat Turns Hosts Into Network Relays

RoadK1ll malware is turning compromised machines into stealthy network relays. This allows attackers to penetrate deeper into secure networks, posing significant risks to organizations. Stay vigilant and monitor your systems for unusual activity.

Cyber Security News·