Supply Chain Attack of Axios NPM package - 02 April 2026

77/2026

Critical

April 2, 2026

11:31 am

A supply chain attack targeted the Axios NPM package, a widely used HTTP client in the JavaScript and Node.js ecosystem.

Malicious versions of the package were published to the official npm repository. When installed, these versions resulted in the deployment of a cross-platform Remote Access Trojan (RAT) affecting Windows, Linux, and macOS systems.

On March 30–31, 2026, attackers conducted a sophisticated supply chain attack by compromising a trusted Axios package maintainer account. This allowed them to publish two malicious versions of the package:

axios@1.14.1 (latest version)
axios@0.30.4 (legacy version)

Instead of modifying the core Axios code directly, the attackers introduced a malicious dependency named plain-crypto-js. This dependency abused npm’s post-installation mechanism to execute unauthorized code automatically during package installation.

As a result, a multi-platform Remote Access Trojan (RAT) is deployed across Windows, Linux, and macOS systems:

macOS: An AppleScript downloads a binary via curl.
Windows: A batch script downloads a PowerShell RAT.
Linux: A python RAT is downloaded to the temporary directory.

Capabilities of the Malware

Once executed, the Remote Access Trojan (RAT) can:

Execute commands remotely on the infected system
Download and run additional malicious tools or payloads
Access and exfiltrate sensitive data
Monitor system activity and processes
Maintain persistent access for further exploitation (in case of windows)

Anti-Forensic Techniques

The full compromise process occurs within approximately 15 seconds of installation. After execution, the malware performs anti-forensic cleanup, including:

Removing installation artifacts
Deleting the malicious post-install script
Replacing modified package files with benign decoy content

Mitigations

Sweep the environment for existing signs of the indicated IOCs and find out if there is a match.
Block the C2 domain sfrclak[.]com at your network perimeter.
Identify whether the affected versions (1.14.1, 0.30.4) were downloaded or executed in your environment. Immediately remove any malicious artifacts from endpoints, build systems, and production workloads.
Isolate the discovered machines.
Downgrade to the last known safe versions of Axios: 1.14.0 or 0.30.3.
Scan affected systems for secrets (e.g., environment variables, API keys, tokens) and rotate them accordingly.

References

https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.