Axios Under Siege: Critical npm Supply Chain Attack Hijacks Lead Maintainer to Drop Multi-Platform RAT
Do Son 
Security researchers at StepSecurity have issued an emergency warning regarding a high-stakes supply chain attack targeting axios, one of the most popular HTTP client libraries in the JavaScript ecosystem. Two “poisoned” versions of the library were successfully published to the npm registry after an attacker compromised the credentials of a lead maintainer.
The breach bypassed the project’s standard GitHub Actions security pipelines. Instead, the attacker hijacked the maintainer’s account, swapped the associated email to an anonymous ProtonMail address, and manually pushed the malicious code via the npm CLI.
The malicious versions—axios@1.14.1 and axios@0.30.4—include a hidden “trojan horse” dependency.
The attacker injected a package called plain-crypto-js@4.2.1. This dependency is never actually used by axios; its only function is to trigger a “postinstall” script. The script acts as a Remote Access Trojan (RAT) dropper that targets macOS, Windows, and Linux systems alike.
Once active, the dropper contacts a command-and-control (C2) server at sfrclak.com to download platform-specific second-stage payloads. To evade forensic detection, the malware deletes its own footprint and replaces its package.json with a clean version immediately after execution.
If you have installed either of the affected axios versions, StepSecurity advises that you assume your system is compromised. Security teams should immediately scan for the following indicators:
| Category | Indicator |
| Malicious Packages |
|
| Network C2 |
|
| macOS File |
|
| Windows File |
|
| Linux File |
|
To protect your infrastructure and development pipelines, take these steps immediately:
- Revert and Pin: Downgrade to the last known safe versions: axios@1.14.0 (for 1.x users) or axios@0.30.3 (for 0.x users).
- Rotate Credentials: If a system has been exposed, rotate all secrets, API keys, and credentials stored on or accessed by that machine.
- Audit Logs: Check network logs for any outbound connections to the known C2 domain or IP address.
- Harden CI/CD: As an added precaution, use npm install –ignore-scripts in CI environments to prevent malicious postinstall scripts from running.
The investigation is ongoing, and further technical analysis is expected as researchers dissect the second-stage payloads.
Update:
Analysis from Socket AI has confirmed that plain-crypto-js is a malicious obfuscated dropper and loader. The malware utilizes several sophisticated techniques to compromise systems while remaining undetected:
- Runtime Deobfuscation: It conceals its true intent by deobfuscating embedded payloads and operational strings only when the code is actually running.
- Dynamic Module Loading: To bypass static security scans, it dynamically pulls in sensitive modules like
fs,os, andexecSyncat runtime. - Command Execution: The script is capable of executing decoded shell commands directly on the host system.
- Payload Staging: It strategically copies and stages payload files into sensitive areas, specifically the OS temporary folders and Windows
ProgramDatadirectories. - Forensic Anti-Analysis: After execution, the malware attempts to destroy evidence by deleting or renaming its own artifacts to thwart investigators.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
