Summary

On March 31, 2026, StepSecurity identified a sophisticated supply chain attack involving the compromise of two versions of the popular axios HTTP client library on npm: [email protected] and [email protected]. These versions were published using compromised npm credentials of a lead axios maintainer, bypassing the usual CI/CD pipeline. The attack involved injecting a malicious dependency, [email protected], which executed a postinstall script deploying a cross-platform remote access trojan (RAT). This RAT targeted macOS, Windows, and Linux systems, establishing a connection with a command-and-control server to deliver platform-specific payloads.

Affected Systems and/or Applications

• Applications: Any application using [email protected] or [email protected].
• Operating Systems: macOS, Windows, and Linux systems where the malicious versions were installed.
• Development Environments: CI/CD pipelines and developer machines that executed npm install with the compromised versions.

Technical Details

Attack Vector

1. Maintainer Account Hijack: The attacker compromised the npm account of a primary axios maintainer, changing the registered email to an attacker-controlled ProtonMail address. This allowed the attacker to publish malicious versions of axios.
2. Malicious Dependency Injection: The attacker pre-staged a malicious package, [email protected], which was added as a runtime dependency in the compromised axios versions. This package contained a postinstall script that deployed a RAT.
3. RAT Deployment: The postinstall script executed a dropper that contacted a command-and-control server (sfrclak.com:8000) to deliver platform-specific payloads. The dropper employed obfuscation techniques to evade detection and performed self-cleanup to hide evidence of the compromise.

Indicators of Compromise

• Malicious npm Packages:
  • [email protected] (shasum: 2553649f232204966871cea80a5d0d6adc700ca)
  • [email protected] (shasum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71)
  • [email protected] (shasum: 07d889e2dadce6f3910dcbc253317d28ca61c766)
• Network Indicators:
  • C2 domain: sfrclak.com
  • C2 IP: 142.11.206.73
  • C2 POST body (macOS) · packages.npm.org/product0
  • C2 POST body (Windows) · packages.npm.org/product1
  • C2 POST body (Linux) · packages.npm.org/product2
• File System Indicators:
  • macOS: /Library/Caches/com.apple.act.mond
  • Windows: %PROGRAMDATA%\wt.exe
  • Linux: /tmp/ld.py
• Attacker-Controlled Accounts:
  • jasonsaayman · compromised legitimate axios maintainer, email changed to [email protected]
  • nrwise · attacker-created account, [email protected], published plain-crypto-js

Assesing wheter your npm system is affected

The Safe Version Reference is: [email protected] (safe) · shasum: 7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb

Immediate Actions: - Downgrade to safe axios versions: [email protected] or [email protected]. - Remove plain-crypto-js from node_modules and reinstall dependencies with npm install --ignore-scripts. - Check for RAT artifacts on affected systems and treat them as fully compromised if found.

Preventive Measures: - Use --ignore-scripts in CI/CD pipelines to prevent postinstall hooks from executing. - Block C2 traffic at the network/DNS layer. - Rotate all credentials on systems where the malicious package ran.

For StepSecurity Enterprise Customers: - Utilize Harden-Runner to enforce network egress allowlists and detect anomalous network traffic. - Deploy StepSecurity Dev Machine Guard for real-time visibility into npm packages installed on developer devices.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and analyzing the case to launch potential threat-hunting campaigns. This advisory will be updated if required.

References

• StepSecurity Blog on Axios Compromise: StepSecurity Blog
• Harden-Runner Insights: Harden-Runner Insights
• Threat Center Alert: StepSecurity Threat Center

‍