Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Outlook Bug Removes Copilot Button for Windows Users
July 2, 2026
Opera’s New Paste Protect Blocks Clipboard Attacks, Including ClickFix
July 2, 2026
JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
July 2, 2026
Home/Threats/Axios npm Package Hijacked to Distribute Cross-Platform Malware
Threats

Axios npm Package Hijacked to Distribute Cross-Platform Malware

Key Takeaways A sophisticated supply chain attack compromised the npm package for Axios, a widely used JavaScript library, on March 30, 2026. Attackers gained control of the lead maintainer’s...

Marcus Rodriguez
Marcus Rodriguez
April 6, 2026 4 Min Read
32 0

Key Takeaways

  • A sophisticated supply chain attack compromised the npm package for Axios, a widely used JavaScript library, on March 30, 2026.
  • Attackers gained control of the lead maintainer’s npm account, publishing malicious versions [email protected] and [email protected].
  • These compromised versions installed a cross-platform remote access trojan (RAT) on Windows, macOS, and Linux systems.
  • Organizations across government, finance, healthcare, manufacturing, retail, and technology sectors were affected.

Supply Chain Attack Unleashes Cross-Platform Malware via Compromised Axios npm Package

In a significant supply chain attack on March 30, 2026, threat actors leveraged Axios, one of the most widely adopted JavaScript libraries globally, to deploy sophisticated malware. By injecting malicious code into the Axios npm package, the attackers silently compromised developer machines running Windows, macOS, and Linux operating systems.

Table Of Content

  • Key Takeaways
  • Supply Chain Attack Unleashes Cross-Platform Malware via Compromised Axios npm Package
  • Attack Vector: Compromised Maintainer Account
  • Forensic Analysis Reveals Widespread Impact
  • Inside the RAT Dropper
  • What You Should Do

With over 100 million weekly downloads, Axios stands as the preeminent HTTP client within the JavaScript ecosystem. This makes the incident one of the most extensive supply chain compromises observed to date, impacting a vast array of development environments.

Attack Vector: Compromised Maintainer Account

The attack originated from an unauthorized takeover of the npm account belonging to Jason Saayman, the primary maintainer of the Axios project. The perpetrators stealthily altered the account’s registered email address to a ProtonMail address under their control, thereby securing full administrative privileges.

Utilizing a stolen npm access token, the attacker proceeded to manually publish two poisoned versions of Axios: [email protected] and [email protected]. These malicious releases were pushed within a 39-minute window, targeting both the current and legacy branches of the library. Notably, neither of these versions corresponds to any official commit, tag, or release in the authentic Axios GitHub repository.

GitHub issue #10604 — the Axios collaborator confirming the compromised maintainer has admin permissions (Source - Trend Micro)
GitHub issue #10604 — the Axios collaborator confirming the compromised maintainer has admin permissions (Source – Trend Micro)

Forensic Analysis Reveals Widespread Impact

Researchers Peter Girnus and Jacob Santos from Trend Micro conducted a comprehensive forensic investigation into the incident, meticulously charting the full infection chain and assessing the scope of the damage. Their analysis indicated that, at the time of their study, the threat had already infiltrated organizations across critical sectors including government, finance, healthcare, manufacturing, retail, and technology. Telemetry data further corroborated active exploitation during the window of the attack.

The two compromised Axios versions contained a deceptive addition to their package manifest: a “phantom dependency” named [email protected]. This package was not legitimately imported or referenced anywhere within the 86 files of the Axios source code. Its sole purpose was to activate npm’s automatic postinstall hook upon installation. Once triggered, this hook would deploy a cross-platform remote access trojan (RAT) onto the victim’s system. Following successful execution, the malware self-deleted its dropper script, replacing it with a clean decoy to make the node_modules folder appear benign and evade detection.

Infection flow of the malicious npm dependency leading to compromise (Source - Trend Micro)
Infection flow of the malicious npm dependency leading to compromise (Source – Trend Micro)

The attackers executed their operation with meticulous planning over approximately 18 hours. Initially, they published a clean decoy version of plain-crypto-js to establish a benign registry history, aiming to avoid immediate suspicion. Several hours later, they registered the command-and-control (C2) server before finally pushing the malicious payload. This attack also effectively bypassed GitHub Actions’ OIDC Trusted Publisher safeguards, which typically link npm releases to verified CI workflows. The manual publication using a stolen token meant no cryptographic binding or gitHead reference was present in the metadata, circumventing these protective measures.

Inside the RAT Dropper

The dropper component, named setup.js, employed a two-layered obfuscation scheme to elude automated security scanners. The inner layer utilized a custom XOR cipher with the key “OrDeR_7077” and a quadratic index pattern to randomize character-access sequences. The outer layer was responsible for reversing encoded strings, restoring base64 padding, and then passing the result through the inner cipher. All module names for critical functions, including file system access, shell execution, and platform detection, were dynamically decoded at runtime via require() calls, rendering them invisible to static analysis tools.

Upon execution, the dropper identified the operating system and launched the corresponding payload. On macOS, it retrieved a binary via AppleScript, saving it to a path designed to mimic an legitimate Apple system daemon. For Windows systems, the dropper used a VBScript launcher to execute a PowerShell RAT entirely in memory, without writing any payload to disk. This PowerShell binary was disguised as “Windows Terminal.” On Linux, a Python RAT was downloaded and initiated as a detached background process, orphaned to PID 1, ensuring its persistence beyond the npm installation session. The C2 server, sfrclak[.]com, was registered merely eight hours before the malicious payload became active, indicating a disposable infrastructure strategy aimed at minimizing the attacker’s footprint.

wt.exe executes the final payload entirely in memory, running the attacker's script without writing it to disk (Source - Trend Micro)
wt.exe executes the final payload entirely in memory, running the attacker’s script without writing it to disk (Source – Trend Micro)

What You Should Do

  • Update Axios: Developers who installed the malicious versions ([email protected] or [email protected]) should immediately downgrade or pin their projects to known-good versions like [email protected] or [email protected].
  • Remove Malicious Dependency: Ensure the plain-crypto-js directory is removed from your node_modules folder.
  • System Rebuild: Any system identified with RAT artifacts should be rebuilt from a trusted, clean state rather than attempting an in-place cleanup.
  • Credential Rotation: Promptly rotate all credentials that were accessible during the compromise window, including npm tokens, cloud keys, CI/CD secrets, and SSH keys.
  • Harden CI/CD Pipelines: Implement npm ci –ignore-scripts in CI/CD pipelines to prevent the automatic execution of postinstall hooks, which was the primary mechanism for this attack.
  • Network Block: Block access to the command-and-control server, sfrclak[.]com, at the network perimeter.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Fake Microsoft Teams Domains Deliver Malware, Threaten Users

Next Post

Google Bug Bounty Program Paid a Record $17 Million in 2023

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Mapbox Flaw Lets Hackers Target Vulnerability Researchers with Python RAT
July 2, 2026
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us