Axios Compromised on npm: Cross-Platform RAT Dropped via Hijacked Maintainer Account
๐ข Update: The malicious packages have been removed from npm. Both [email protected] and [email protected] have been unpublished. Additionally, plain-crypto-js has been unpublished and locked to version 0.0.1-security.0 by npmjs.
TLDR:
axiosis an HTTP Client library onnpmwith over 100 million weekly downloads.[email protected]and[email protected]were compromised onnpmvia a hijacked maintainer account.- The attacker compromised the npm account of
jasonsaayman, the lead maintainer of the Axios project. - The attacker injected a fake dependency (
plain-crypto-js) that runs a postinstall script to drop a cross-platform RAT (remote access trojan) on macOS, Windows, and Linux. - The malicious release was published directly via the npm CLI, bypassing GitHub Actions CI/CD entirely โ no matching commit or tag exists in the Axios repo.
- All payloads contact a C2 server at
sfrclak.com, deliver second-stage malware, then self-destruct.
On March 31, 2026, security researchers at StepSecurity disclosed that two malicious versions of Axios โ the most popular HTTP client library in the JavaScript ecosystem, with over 100 million weekly downloads โ had been published to the npm registry. The compromised versions, [email protected] and [email protected], were deployed using hijacked maintainer credentials and deliver a cross-platform remote access trojan (RAT) to any machine that installs them.
This is being described by StepSecurity as one of the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package.
What Happened
The attacker compromised the npm account of jasonsaayman, the lead maintainer of the Axios project. Once inside, they changed the account's registered email to an anonymous ProtonMail address ([email protected]) and used the npm CLI to manually publish poisoned packages โ bypassing the project's standard GitHub Actions CI/CD pipeline entirely.
A critical forensic detail: there is no corresponding commit or tag in the Axios GitHub repository for version 1.14.1. The release exists only on npm. Legitimate Axios releases are published via GitHub Actions using npm's OIDC Trusted Publisher mechanism, which cryptographically ties each publish event to a verified workflow. The attacker circumvented this by obtaining a long-lived classic npm access token for the account.
Both release branches โ 1.x and 0.x โ were hit within 39 minutes of each other, maximizing the number of projects exposed.
How the Attack Works
Neither malicious version contains a single line of malicious code inside the Axios source itself. Instead, the attacker injected a new dependency: [email protected]. This package is never imported anywhere in Axios โ its sole purpose is to execute a postinstall script that acts as a RAT dropper.
The plain-crypto-js package was pre-staged on npm roughly 18 hours before the Axios compromise, published from a separate throwaway account (nrwise, registered with [email protected]). It was carefully designed to appear legitimate, copying the description, author attribution, and repository URL from the real crypto-js package.
Once installed, the postinstall script detects the host operating system and deploys a platform-specific payload:
- macOS: An AppleScript-based dropper downloads a binary to
/Library/Caches/com.apple.act.mond, a path chosen to mimic Apple's naming conventions and avoid detection. The binary contacts a command-and-control server, then the dropper deletes itself. - Windows: A multi-stage PowerShell chain fetches and executes the payload, dropping it at
%PROGRAMDATA%\wt.exe. - Linux: A Python-based dropper is written to
/tmp/ld.pyand executed.
All payloads contact a live C2 server at sfrclak.com (IP: 142.11.206.73) via http://sfrclak.com:8000/6202033, deliver second-stage payloads, and then erase themselves โ replacing their own package.json with a clean decoy to evade forensic analysis.
Who Is Behind It
No attribution has been made public as of this writing. The investigation is ongoing. However, StepSecurity's initial analysis describes an operational profile consistent with a well-resourced and experienced threat actor:
- The malicious dependency was staged well in advance.
- Three separate payloads were pre-built for three operating systems.
- Both major release branches were compromised in a tightly coordinated window.
- The RAT used filesystem paths and naming conventions designed to blend in with legitimate system processes.
- Every trace was designed to self-destruct.
StepSecurity called this "among the most operationally sophisticated supply chain attacks ever documented against a top-10 npm package." The consistent use of ProtonMail across both the hijacked maintainer account and the throwaway publisher account is the only known operational pattern linking the actor's infrastructure.
Affected Versions
| Branch | Malicious Version | Safe Version |
|---|---|---|
| 1.x | 1.14.1 | 1.14.0 |
| 0.x | 0.30.4 | 0.30.3 |
What You Should Do Now
If you have installed either affected version, assume your system is compromised and take the following steps:
- Pin to safe versions immediately:
[email protected]or[email protected]. - Rotate all secrets, API keys, and credentials stored on or accessed by any affected machine.
- Audit network logs for outbound connections to
sfrclak.com,142.11.206.73, or the full C2 URLhttp://sfrclak.com:8000/6202033. - Check for filesystem indicators:
/Library/Caches/com.apple.act.mondon macOS,%PROGRAMDATA%\wt.exeon Windows, and/tmp/ld.pyon Linux. - Use
npm install --ignore-scriptsin CI environments to prevent postinstall scripts from executing. - Review your lock files โ if
plain-crypto-jsappears anywhere in your dependency tree, investigate immediately.
Indicators of Compromise
| Category | Indicator |
|---|---|
| Malicious npm packages | [email protected], [email protected], [email protected] |
| C2 domain | sfrclak.com |
| C2 IP | 142.11.206.73 |
| C2 URL | http://sfrclak.com:8000/6202033 |
| macOS artifact | /Library/Caches/com.apple.act.mond |
| Windows artifact | %PROGRAMDATA%\wt.exe |
| Linux artifact | /tmp/ld.py |
| Attacker email (maintainer) | [email protected] |
| Attacker email (staging account) | [email protected] |
The Bigger Picture
Axios receives over 100 million downloads per week. A developer running a routine npm install or npm update would have had no reason to suspect that the package was deploying malware. The malicious versions were published under the real maintainer's name, making them indistinguishable from legitimate releases at a glance.
This incident is the latest in a rapidly accelerating pattern of supply chain attacks targeting the JavaScript and open-source ecosystems. In September 2025, the Shai-Hulud attack compromised over 500 npm packages through a phishing campaign targeting maintainers. Just days ago, the TeamPCP actor weaponized 76 Trivy version tags overnight in a GitHub Actions supply chain attack, followed by a similar compromise of KICS using the same playbook. Today's Axios attack shows that the tactics are becoming more targeted, more patient, and harder to detect.
The open-source ecosystem's reliance on individual maintainer accounts as single points of trust remains its most critical vulnerability.
๐ข Update: The malicious packages have been removed from npm. Both [email protected] and [email protected] have been unpublished. Additionally, plain-crypto-js has been unpublished and locked to version 0.0.1-security.0 by npmjs.
Follow Titan Security on Twitter for updates.
