A popular HTTP client known as Axios has been hit with a supply chain issue after two recently published versions of the npm package were found to be vulnerable.
Versions 1.14.1 and 0.30.4 of Axios were found to install “plain-crypto-js” version 4.2.1 as a false dependency.
According to StepSecurity, these two versions were published using compromised npm credentials of the main Axios maintainer (“jasonsaayman”), allowing attackers to bypass the GitHub Actions CI/CD project pipeline.
“Its sole purpose is to create a mail script that acts as an online retrieving platform trojan (RAT), targeting macOS, Windows and Linux,” security researcher Ashish Kurmi said. “Dropper connects to a live command and control server and delivers special requests to the second platform. After execution, the malware detaches itself and replaces its package.json with a clean version to avoid forensic detection.”
Users with Axios versions 1.14.1 or 0.30.4 should quickly rotate their passwords and data, and downgrade to a secure version (1.14.0 or 0.30.3). Bad versions, along with “plain-crypto-js,” are no longer available for download from npm.
With more than 83 million weekly downloads, Axios is one of the most widely used HTTP clients in the JavaScript ecosystem across front-end architecture, backend services and business applications.
“This was not an opportunity to take advantage of,” Kurmi added. “The malicious attack was carried out 18 hours in advance. Three separate explosions were built in advance for the three operations. Both branches of the release were struck within 39 minutes. Each path was designed to destroy.”
The attack time is as follows:
- March 30, 2026, 05:57 UTC – A clean version of the package “plain-crypto-js@4.2.0” is published.
- March 30, 2026, 23:59 UTC – New version (“plain-crypto-js@4.2.1”) with added payload is published.
- March 31, 2026, 00:21 UTC – A new version of Axios (“axios@1.14.1”) that installs “plain-crypto-js@4.2.1” as a runtime dependency is published using the compromised “jasonsaayman” account.
- March 31, 2026, 01:00 UTC – A new version of Axios (“axios@0.30.4”) that installs “plain-crypto-js@4.2.1” as a runtime dependency is published using the compromised “jasonsaayman” account.
According to StepSecurity, the threat actor behind the campaign is said to have compromised the npm account of “jasonsaayman” and changed his registered email address to a Proton Mail address under their control (“ifstap@proton.me”). “plain-crypto-js” was published by npm user “nrwise” with the email address “nrwise@proton.me.”
It is believed that the attacker obtained a long-lived npm access token for the account to manage and directly publish toxic versions of Axios to the registry.
The installed malware, for that matter, is introduced via an invisible “Node.js dropper” (“setup.js”) and is designed to split into one of three attack paths depending on the operating system –
- On macOS, it runs an AppleScript payload to fetch the trojan binary from an external server (“sfrclak.com:8000”), save it as “/Library/Caches/com.apple.act.mond,” change its permissions to make it executable, and run it in the background via /bin/zsh. The AppleScript file is deleted after execution to cover the tracks.
- On Windows, it finds the PowerShell binary path, copies it to “%PROGRAMDATA%\wt.exe” (it pretends to be a Windows Terminal tool), then writes a Visual Basic Script (VBScript) in the tempo directory and executes it. VBScript contacts the same server to retrieve the PowerShell RAT script and execute it. The downloaded file is deleted.
- On other platforms (e.g., Linux), the dropper runs a shell command with Node.js’s execSync to fetch the Python RAT script from the same server, store it in “/tmp/ld.py,” and execute it in the background using the nohup command.
“Each platform sends a unique POST body to the same C2 URL – packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux),” StepSecurity said. “This allows the C2 server to give a fair reward to the platform because of one point.”
The second phase binary downloaded for macOS is a C++ RAT that prints system fingerprints and beacons to a remote server every 60 seconds to receive instructions for the next operation. It supports the ability to run additional payloads, execute shell commands, read the file system, and terminate the RAT.
Once the payload is launched, the Node.js malware also takes steps to perform a three-step forensic cleanup by removing the postinstall script from the package’s installed directory, deleting “package.json” references to the “postinstall hook” to launch the dropper, and renaming “package.md” to “package.json.”
It is important to note that the “package.md” file is included in “plain-crypto-js” and it is a pure “package.json” that shows without the postinstall hook that causes the whole attack. When changing package displays, the idea is to avoid raising red flags during post-infection testing of the package.
“There is not a single line of malicious code inside Axios itself,” StepSecurity said. “Instead, they both install a fake trust, plain-crypto-js@4.2.1, a package that has not been deployed anywhere in the Axios source, whose sole purpose is to run a postinstall script that runs a remote internet trojan (RAT).”
Users are advised to take the following actions to verify the compromise –
- Check out Axios’ dangerous models.
- Check the RAT artifacts: “/Library/Caches/com.apple.act.mond” (macOS), “%PROGRAMDATA%\wt.exe” (Windows), and “/tmp/ld.py” (Linux).
- Downgrade to Axios versions 1.14.0 or 0.30.3.
- Remove “plain-crypto-js” from the “node_modules” directory.
- If RAT artifacts are found, consider compromising and changing all system information.
- Check the CI/CD pipeline for runs that have installed the affected versions.
- Block egress traffic in domain-and-control domain (“sfrclak[.]com”)
Socket, in its analysis of the attack, said that there are two additional packages that carry the same malware by relying on vendors –
In the case of “@shadanai/openclaw,” a malicious “plain-crypto-js” package is installed inside the package. On the other hand, “@qqbrowser/openclaw-qbot@0.0.130,” is running a compromised “axios@1.14.1” with its node_modules.
“Real axios have only three promises (follow-redirects, data-data, proxy-from-env),” the deployment security company said. “The addition of plain-crypto-js is clearly destructive. When npm processes these axios for sale, it installs plain-crypto-js and causes the same dangerous postinstall chain.”
#Axios #Supply #Chain #Attack #Pushes #CrossPlatform #RAT #Compromised #npm #Account