CP
cyberpings
Malware & RansomwareHIGH

Axios NPM Supply Chain Incident - Malicious Packages Delivered

Featured image for Axios NPM Supply Chain Incident - Malicious Packages Delivered
TACisco Talos Intelligence
Axiossupply chain attackremote access trojannpmCisco Talos
🎯

Basically, hackers tricked users into downloading harmful software from a popular coding library.

Quick Summary

A supply chain attack on Axios's npm packages delivered malicious payloads. Developers must roll back to safe versions and investigate potential compromises. Stay vigilant against future threats.

What Happened

On March 31, 2026, a supply chain attack targeted the official Axios npm package, affecting two specific versions: v1.14.1 and v0.30.4. Axios is a widely-used JavaScript library, boasting around 100 million downloads per week. The malicious packages were available for only about three hours, but their impact could be significant.

Who's Affected

Any developers or organizations that downloaded the compromised versions of Axios are at risk. Given the library's popularity, the attack could potentially affect a large number of applications relying on it.

What Data Was Exposed

The attack introduced a fake runtime dependency called plain-crypto-js. This dependency executed automatically during installation, reaching out to actor-controlled infrastructure. It was designed to deliver platform-specific payloads, including:

  • MacOS: A binary named com.apple.act.mond.
  • Windows: A PowerShell script that copies a legitimate executable and runs it with hidden flags.
  • Linux: A Python backdoor.

These payloads are classified as remote access trojans (RATs), allowing the attackers to gather sensitive information and deploy additional malicious software.

What You Should Do

Organizations that may have downloaded the malicious packages should:

  • Roll back to known safe versions (v1.14.0 or v0.30.3).
  • Investigate any systems that interacted with the malicious packages for potential follow-on payloads.
  • Treat any credentials present on systems with the malicious package as compromised and rotate them promptly.

Impact

The full extent of the impact from this supply chain attack is still unfolding. Supply chain attacks often lead to unexpected downstream effects, as compromised packages can be integrated into numerous applications. The attackers are likely to exploit the access gained as quickly as possible for financial gain. Cisco Talos highlights that about 25% of the top 100 vulnerabilities in their 2025 Year in Review report affect widely-used frameworks and libraries, underscoring the risks associated with supply chain vulnerabilities.

Indicators of Compromise (IOCs)

To help identify any potential breaches, here are some key IOCs:

  • IP Address: 142[.]11[.]206[.]73
  • Domains: Sfrclak[.]com
  • SHA256 Hashes:
    • e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 (setup[.]js)
    • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (Linux)
    • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (Windows)
    • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (MacOS)
    • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (6202033.ps1)

Cisco Talos continues to monitor the situation and will provide updates as more indicators are uncovered.

🔒 Pro insight: Analysis pending for this article.

Original article from

TACisco Talos Intelligence· Nick Biasini
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Weaponizing Trust Signals with Claude Code Lures

A packaging error in Anthropic's Claude Code exposed internal source code, leading to malware distribution. Threat actors exploited this to spread Vidar and GhostSocks. This incident highlights significant security risks for developers.

Trend Micro Research·
HIGHMalware & Ransomware

PHP Web Shells - Microsoft Reveals Cookie-Controlled Threats

Microsoft reveals a new threat where PHP web shells use cookies for remote code execution on Linux servers. This stealthy tactic poses significant risks, allowing attackers to maintain persistence. Organizations must enhance their security measures to combat these evolving threats.

The Hacker News·
HIGHMalware & Ransomware

Qilin Ransomware - Data Stolen from Die Linke Party

The Qilin ransomware group has targeted Die Linke, stealing sensitive data and threatening a leak. This incident highlights the risks political parties face from cyberattacks. Die Linke is working with authorities to address the breach and restore systems.

BleepingComputer·
HIGHMalware & Ransomware

Kimsuky - Malicious LNK Files Deliver Python-Based Backdoor

Kimsuky, a North Korean hacker group, is using malicious LNK files to deploy a Python backdoor on victim systems. This multi-stage attack complicates detection efforts, posing serious risks to sensitive data. Stay alert and avoid opening suspicious files to protect your systems.

Cyber Security News·
HIGHMalware & Ransomware

Multi-Extortion Ransomware - Understanding Its Evolution

Multi-extortion ransomware is on the rise, pressuring victims with data leaks. Healthcare and finance sectors are particularly affected. Organizations must adapt their defenses to protect sensitive data effectively.

BleepingComputer·
HIGHMalware & Ransomware

CrystalX RAT - New MaaS Malware Combines Spyware and Access

Kaspersky has uncovered CrystalX RAT, a new MaaS malware that combines spyware and remote access features. This sophisticated tool poses significant risks to users globally. Stay informed and protect your data.

Security Affairs·