The popular HTTP client known as Axios came under supply chain attack after a malicious dependency was introduced in two newly published versions of npm packages.
Axios versions 1.14.1 and 0.30.4 were found to inject “plain-crypto-js” version 4.2.1 as a bogus dependency.
According to StepSecurity, these two versions were published using compromised npm credentials of a key Axios maintainer (‘jasonsaayman’), allowing attackers to bypass the project’s GitHub Actions CI/CD pipeline.
“Its sole purpose is to run a post-installation script that acts as a cross-platform remote access Trojan (RAT) dropper targeting macOS, Windows, and Linux,” said security researcher Ashish Kurmi. “The dropper connects to a live command and control server and delivers a platform-specific second stage payload. After execution, the malware removes itself and replaces its package.json with a clean version to evade forensic detection.”
Users who have Axios version 1.14.1 or 0.30.4 installed should immediately rotate their secrets and credentials and downgrade to a secure version (1.14.0 or 0.30.3). The malicious version and “plain-crypto-js” are no longer available for download from npm.
With over 83 million downloads each week, Axios is one of the most widely used HTTP clients in the JavaScript ecosystem across front-end frameworks, back-end services, and enterprise applications.
“This was not an opportunism,” Kurumi added. “The malicious dependency was staged 18 hours ago. Three separate payloads were pre-built for three operating systems. It hit both release branches within 39 minutes. All traces were designed to self-destruct.”
The timeline of the attack is as follows:
March 30, 2026, 05:57 UTC – A clean version of package ‘plain-crypto-js@4.2.0’ has been published. March 30, 2026, 23:59 UTC – A new version (‘plain-crypto-js@4.2.1’) has been published with an added payload. March 31, 2026, 00:21 UTC – A new version of Axios (‘axios@1.14.1’) that injects ‘plain-crypto-js@4.2.1’ as a runtime dependency is published using the compromised ‘jasonsaayman’ account. March 31, 2026, 01:00 UTC – A new version of Axios (‘axios@0.30.4’) that injects ‘plain-crypto-js@4.2.1’ as a runtime dependency is published using the compromised ‘jasonsaayman’ account.
According to StepSecurity, the attackers behind this campaign allegedly compromised the npm account of ‘jasonsaayman’ and changed its registered email address to a Proton Mail address they control (‘ifstap@proton.me’). ‘plain-crypto-js’ was published by npm user named ‘nrwise’ with email address ‘nrwise@proton.me’.
The attackers are believed to have obtained a long-lived classic npm access token in order to take control of the account and publish a poisoned version of Axios directly to the registry.
The embedded malware is launched via an obfuscated Node.js dropper (‘setup.js’) and is designed to branch into one of three attack paths based on the operating system.
On macOS, it executes an AppleScript payload to retrieve the Trojan binary from an external server (‘sfrclak.com:8000’), saves it as ‘/Library/Caches/com.apple.act.mond’, changes permissions to make it executable, and launches it in the background via /bin/zsh. AppleScript files are deleted to hide their tracks after execution. On Windows, locate the PowerShell binary path and copy it to “%PROGRAMDATA%\wt.exe” (disguised as a Windows Terminal app), write Visual Basic Script (VBScript) to a temporary directory, and run it. VBScript connects to the same server to retrieve and run PowerShell RAT scripts. Downloaded files will be deleted. On other platforms (such as Linux), the dropper runs shell commands via Node.js’ execSync, fetches the Python RAT script from the same server, stores it in “/tmp/ld.py”, and runs it in the background using the nohup command.
“Each platform sends a different POST body to the same C2 URL: packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux),” StepSecurity says. “This allows C2 servers to serve platform-appropriate payloads in response to a single endpoint.”
The downloaded second-stage binary for macOS is a C++ RAT that fingerprints the system and sends a beacon to a remote server every 60 seconds to retrieve commands for subsequent execution. Supports functionality such as executing additional payloads, executing shell commands, enumerating file systems, and terminating RATs.
Once the main payload is launched, the Node.js malware also takes steps to perform three forensic cleanup steps: remove the postinstallation script from the installed package directory, remove “package.json” that references the postinstallation hook to launch the dropper, and rename “package.md” to “package.json”.
Notice that the “package.md” file is included in “plain-crypto-js” and is a clean “package.json” manifest without the post-install hook that would cause the entire attack. The idea when switching package manifests is to avoid raising any red flags during post-infection inspection of the package.
“Both malicious versions do not contain a single line of malicious code inside Axios itself,” StepSecurity said. “Instead, both inject a bogus dependency, plain-crypto-js@4.2.1. This package is not imported anywhere in the Axios sources. Its sole purpose is to run a post-installation script that deploys a cross-platform remote access Trojan (RAT).”
We recommend that users take the following actions to confirm a breach:
Check the malicious Axios version. Check for RAT artifacts: “/Library/Caches/com.apple.act.mond” (macOS), “%PROGRAMDATA%\wt.exe” (Windows), and “/tmp/ld.py” (Linux). Downgrade to Axios version 1.14.0 or 0.30.3. Delete “plain-crypto-js” from the “node_modules” directory. If a RAT artifact is detected, assume a compromise and rotate all credentials on the system. Audit your CI/CD pipeline for runs that have the affected version installed. Block outgoing traffic to the command and control domain (“sfrclak[.]com”)
Socket said its own attack analysis identified two additional packages that distribute the same malware through vendor dependencies.
In the case of “@shadanai/openclaw”, the malicious “plain-crypto-js” package is embedded deep in the vendor’s path. Meanwhile, “@qqbrowser/openclaw-qbot@0.0.130” ships a modified “axios@1.14.1” in its node_modules.
“Actual axios has only three dependencies (follow-redirects, form-data, proxy-from-env),” the supply chain security firm said. “The addition of plain-crypto-js is a clear tampering. When npm processes this vendor’s axios, plain-crypto-js is installed and triggers the same malicious post-installation chain.”
Source link
