The favored HTTP shopper often called Axios has suffered a provide chain assault after two newly printed variations of the npm package deal launched a malicious dependency.
Variations 1.14.1 and 0.30.4 of Axios have been discovered to inject “plain-crypto-js” model 4.2.1 as a pretend dependency.
Based on StepSecurity, the 2 variations have been printed utilizing the compromised npm credentials of the first Axios maintainer (“jasonsaayman”), permitting the attackers to bypass the challenge’s GitHub Actions CI/CD pipeline.
“Its sole purpose is to execute a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux,” safety researcher Ashish Kurmi mentioned. “The dropper contacts a live command and control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.”
Customers who’ve Axios variations 1.14.1 or 0.30.4 put in are required to rotate their secrets and techniques and credentials with rapid impact, and downgrade to a protected model (1.14.0 or 0.30.3). The malicious variations, in addition to “plain-crypto-js,” are not out there for obtain from npm.
With greater than 83 million weekly downloads, Axios is among the most generally used HTTP purchasers within the JavaScript ecosystem throughout frontend frameworks, backend providers, and enterprise functions.
“This was not opportunistic,” Kurmi added. “The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct.”
The timeline of the assault is as follows –
- March 30, 2026, 05:57 UTC – A clear model of the package deal “plain-crypto-js@4.2.0” is printed.
- March 30, 2026, 23:59 UTC – A brand new model (“plain-crypto-js@4.2.1”) with the payload added is printed.
- March 31, 2026, 00:21 UTC – A brand new model of Axios (“axios@1.14.1”) that injects “plain-crypto-js@4.2.1” as a runtime dependency is printed utilizing the compromised “jasonsaayman” account.
- March 31, 2026, 01:00 UTC – A brand new model of Axios (“axios@0.30.4”) that injects “plain-crypto-js@4.2.1” as a runtime dependency is printed utilizing the compromised “jasonsaayman” account.
Based on StepSecurity, the menace actor behind the marketing campaign is alleged to have compromised the npm account of “jasonsaayman” and adjusted its registered electronic mail tackle to a Proton Mail tackle below their management (“ifstap@proton.me”). The “plain-crypto-js” was printed by an npm consumer named “nrwise” with the e-mail tackle “nrwise@proton.me.”
It is believed that the attacker obtained a long-lived traditional npm entry token for the account to take management and straight publish poisoned variations of Axios to the registry.
The embedded malware, for its half, is launched through an obfuscated Node.js dropper (“setup.js”) and is designed to department into certainly one of three assault paths based mostly on the working system –
- On macOS, it runs an AppleScript payload to fetch a trojan binary from an exterior server (“sfrclak.com:8000”), put it aside as “/Library/Caches/com.apple.act.mond,” change its permissions to make it executable, and launch it within the background through /bin/zsh. The AppleScript file is deleted after execution to cowl up the tracks.
- On Home windows, it locates the PowerShell binary path, copies it to the “%PROGRAMDATA%wt.exe” (disguising it because the Home windows Terminal app), and writes a Visible Fundamental Script (VBScript) to the temp listing and executes it. The VBScript contacts the identical server to fetch a PowerShell RAT script and execute it. The downloaded file is deleted.
- On different platforms (e.g., Linux), the dropper runs a shell command through Node.js’s execSync to fetch a Python RAT script from the identical server, put it aside to “/tmp/ld.py,” and execute it within the background utilizing the nohup command.
“Each platform sends a distinct POST body to the same C2 URL — packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux),” StepSecurity mentioned. “This allows the C2 server to serve a platform-appropriate payload in response to a single endpoint.”
The downloaded second-stage binary for macOS is a C++ RAT that fingerprints the system and beacons to a distant server each 60 seconds to retrieve instructions for subsequent execution. It helps capabilities to run further payloads, execute shell instructions, enumerate the file system, and terminate the RAT.
SafeDep’s evaluation of the Linux RAT has revealed that it helps the identical instructions as its macOS counterpart. The absence of a persistence mechanism signifies that the malware doesn’t survive throughout reboots. This means that the assault is both geared in direction of fast knowledge exfiltration or leverages the RAT’s means to run binaries and shell instructions to deploy persistence.
“The attack is notable for its restraint. No axios source files were modified, making traditional diff-based code review less likely to catch it,” SafeDep mentioned. “The malicious behavior lives entirely in a transitive dependency, triggered automatically by npm’s postinstall lifecycle.”
As soon as the primary payload is launched, the Node.js malware additionally takes steps to carry out three forensic cleanup steps by eradicating the postinstall script from the put in package deal listing, deleting the “package.json” the references the postinstall hook to launch the dropper, and renaming “package.md” to “package.json.”
It is value noting that the “package.md” file is included in “plain-crypto-js” and is a clear “package.json” manifest with out the postinstall hook that triggers the whole assault. In switching the package deal manifests, the thought is to keep away from elevating any purple flags throughout post-infection inspection of the package deal.
“Neither malicious version contains a single line of malicious code inside Axios itself,” StepSecurity mentioned. “Instead, both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the Axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT).”
Customers are suggested to carry out the next actions to establish compromise –
- Test for the malicious Axios variations.
- Test for RAT artifacts: “/Library/Caches/com.apple.act.mond” (macOS), “%PROGRAMDATA%wt.exe” (Home windows), and “/tmp/ld.py” (Linux).
- Downgrade to Axios variations 1.14.0 or 0.30.3.
- Take away “plain-crypto-js” from the “node_modules” listing.
- If RAT artifacts are detected, assume compromise and rotate all credentials on the system.
- Audit CI/CD pipelines for runs that put in the affected variations.
- Block egress visitors to the command-and-control area (“sfrclak[.]com”)
Socket, in its personal evaluation of the assault, mentioned recognized two further packages distributing the identical malware by way of vendored dependencies –
Within the case of “@shadanai/openclaw,” the package deal distributors the malicious “plain-crypto-js” payload straight (e.g., @shadanai/openclaw/recordsdata/2026.3.31-1/dist/extensions/slack/node_modules/plain-crypto-js/setup.js). However, “@qqbrowser/openclaw-qbot@0.0.130,” ships a tampered “axios@1.14.1” in its “node_modules/” folder with “plain-crypto-js” injected as a dependency.
“The real axios has only three dependencies (follow-redirects, form-data, proxy-from-env),” the provision chain safety firm mentioned. “The addition of plain-crypto-js is unambiguous tampering. When npm processes this vendored axios, it installs plain-crypto-js and triggers the same malicious postinstall chain.”
