One of JavaScript’s most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT

One of JavaScript's most popular libraries compromised by hackers — Axios npm package hit in supply chain attack that deployed a cross-platform RAT

The hijacked maintainer account was used to publish two malicious versions of one of JavaScript's most popular libraries.

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .

An attacker compromised the npm account of a lead Axios maintainer on March 30 and used it to publish two malicious versions of the widely used JavaScript HTTP client library, according to StepSecurity . The poisoned releases, axios@1.14.1 and axios@0.30.4, injected a hidden dependency that silently installed a cross-platform remote access trojan on developer machines running macOS, Windows, and Linux. Axios is downloaded roughly 100 million times per week on npm.

Both malicious versions added a single new dependency to the package manifest: plain-crypto-js@4.2.1, a purpose-built trojan disguised as the legitimate crypto-js library. The package was never imported or referenced anywhere in Axios source code. Its only function was to execute a postinstall script that contacted a command-and-control server at sfrclak.com, downloaded a platform-specific RAT payload, and then destroyed all evidence of its own execution.

The attack was staged across roughly 18 hours, with an attacker-controlled npm account publishing a clean decoy version of plain-crypto-js at 05:57 UTC on March 30 to establish publishing history. The malicious payload version followed at 23:59 UTC. The compromised Axios maintainer account, jasonsaayman, then published axios@1.14.1 at 00:21 UTC on March 31, followed by axios@0.30.4 at 01:00 UTC, covering both the modern 1.x and legacy 0.x release branches within 39 minutes of each other.

You may like Notepad++ update server hijacked in targeted attacks Invisible malicious code attacks 151 GitHub repos and VS Code Unofficial 7-zip.com website served up malware-laden downloads for over a week — infected PCs forced into a proxy botnet StepSecurity's runtime analysis confirmed that the dropper made its first outbound connection to the C2 server just 1.1 seconds after npm install began. On macOS, the RAT binary was written to /Library/Caches/com.apple.act.mond, mimicking an Apple system process. On Windows, the malware copied PowerShell to %PROGRAMDATA%\wt.exe and executed a hidden script. On Linux, it downloaded a Python-based RAT to /tmp/ ld.py .

After execution, setup.js deleted itself, removed its own package.json containing the malicious postinstall hook, and replaced it with a pre-staged clean stub reporting a different version number. A forensic inspection of the installed package after the fact would show nothing suspicious.

The malicious versions were live for approximately two to three hours before npm unpublished them and placed a security hold on plain-crypto-js. Neither compromised version appears in Axios's GitHub repository tags, confirming they were published directly to the npm registry outside the project's normal CI/CD pipeline.

StepSecurity , Snyk, Wiz, and Vercel have all published advisories recommending that any system where the malicious package ran should be treated as fully compromised, with all credentials rotated immediately. The GitHub issue tracking the incident is axios/axios#10604.

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

Key considerations

Investor positioning can change fast
Volatility remains possible near catalysts
Macro rates and liquidity can dominate flows

Reference reading

More on this site

Informational only. No financial advice. Do your own research.

Key considerations

Reference reading

More on this site

Related posts:

Leave a Comment Cancel reply