{"id":441,"date":"2026-03-31T07:42:54","date_gmt":"2026-03-31T07:42:54","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=441"},"modified":"2026-03-31T07:42:54","modified_gmt":"2026-03-31T07:42:54","slug":"axios-supply-chain-attack-pushes-cross-platform-rat-via-compromised-npm-account","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=441","title":{"rendered":"Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhdY8iKA7o-K-4HkIjPMiBRWAn5vCvSNDu1sm09t10vWMzXO6cIblLHQyu1no-KBhq4W7EWS03zqvI4n_k9mYWCDsCVoiX4cwsV9T862WTq1yGb6VkX1ZGTa7MKZE43llbF9n2Py1mC2yhCIfRlXGkvya_NQ9lX7vZ32YW8pHZlw1dPZcI9eCrgysiWqSSR\/s1700-e365\/Axios-attack.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The popular HTTP client known as <a href=\"https:\/\/www.npmjs.com\/package\/axios\" rel=\"noopener\" target=\"_blank\">Axios<\/a> has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.<\/p>\n<p>Versions 1.14.1 and 0.30.4 of Axios have been found to inject \u00ab<a href=\"https:\/\/www.npmjs.com\/package\/plain-crypto-js\" rel=\"noopener\" target=\"_blank\">plain-crypto-js<\/a>\u00bb version 4.2.1 as a fake dependency.<\/p>\n<p>According to StepSecurity, the two versions were <a href=\"https:\/\/github.com\/axios\/axios\/issues\/10604\" rel=\"noopener\" target=\"_blank\">published<\/a> using the compromised npm credentials of the primary Axios maintainer (\u00abjasonsaayman\u00bb), allowing the attackers to bypass the project&#8217;s GitHub Actions CI\/CD pipeline.<\/p>\n<p>\u00abIts sole purpose is to execute a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux,\u00bb security researcher Ashish Kurmi <a href=\"https:\/\/www.stepsecurity.io\/blog\/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe dropper contacts a live command and control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.\u00bb<\/p>\n<p>Users who have Axios versions 1.14.1 or 0.30.4 installed are required to rotate their secrets and credentials with immediate effect, and downgrade to a safe version (1.14.0 or 0.30.3). The malicious versions, as well as \u00abplain-crypto-js,\u00bb are no longer available for download from npm.<\/p>\n<p>With more than 83 million weekly downloads, Axios is one of the most widely used HTTP clients in the JavaScript ecosystem across frontend frameworks, backend services, and enterprise applications.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abThis was not opportunistic,\u00bb Kurmi added. \u00abThe malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct.\u00bb<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>The timeline of the attack is as follows &#8211;<\/p>\n<ul>\n<li>March 30, 2026, 05:57 UTC &#8211; A clean version of the package \u00abplain-crypto-js@4.2.0\u00bb is published.<\/li>\n<li>March 30, 2026, 23:59 UTC &#8211; A new version (\u00abplain-crypto-js@4.2.1\u00bb) with the payload added is published.<\/li>\n<li>March 31, 2026, 00:21 UTC &#8211; A new version of Axios (\u00abaxios@1.14.1\u00bb) that injects \u00abplain-crypto-js@4.2.1\u00bb as a runtime dependency is published using the compromised \u00abjasonsaayman\u00bb account.<\/li>\n<li>March 31, 2026, 01:00 UTC &#8211; A new version of Axios (\u00abaxios@0.30.4\u00bb) that injects \u00abplain-crypto-js@4.2.1\u00bb as a runtime dependency is published using the compromised \u00abjasonsaayman\u00bb account.<\/li>\n<\/ul>\n<p>According to StepSecurity, the threat actor behind the campaign is said to have compromised the npm account of \u00abjasonsaayman\u00bb and changed its registered email address to a Proton Mail address under their control (\u00abifstap@proton.me\u00bb). The \u00abplain-crypto-js\u00bb was published by an npm user named \u00abnrwise\u00bb with the email address \u00abnrwise@proton.me.\u00bb<\/p>\n<p>It&#8217;s believed that the attacker obtained a long-lived classic npm access token for the account to take control and directly publish poisoned versions of Axios to the registry.<\/p>\n<p>The embedded malware, for its part, is launched via an obfuscated Node.js dropper (\u00absetup.js\u00bb) and is designed to branch into one of three attack paths based on the operating system &#8211;<\/p>\n<ul>\n<li>On macOS, it runs an AppleScript payload to fetch a trojan binary from an external server (\u00absfrclak.com:8000\u00bb), save it as \u00ab\/Library\/Caches\/com.apple.act.mond,\u00bb change its permissions to make it executable, and launch it in the background via \/bin\/zsh. The AppleScript file is deleted after execution to cover up the tracks.<\/li>\n<li>On Windows, it locates the PowerShell binary path, copies it to the \u00ab%PROGRAMDATA%\\wt.exe\u00bb (disguising it as the Windows Terminal app), and writes a Visual Basic Script (VBScript) to the temp directory and executes it. The VBScript contacts the same server to fetch a PowerShell RAT script and execute it. The downloaded file is deleted.<\/li>\n<li>On other platforms (e.g., Linux), the dropper runs a shell command via Node.js\u2019s execSync to fetch a Python RAT script from the same server, save it to \u00ab\/tmp\/<a href=\"https:\/\/ld.py\" rel=\"noopener\" target=\"_blank\">ld.py<\/a>,\u00bb and execute it in the background using the nohup command.<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZYI1-U2x1NxniUyNqyOamnEjLToB2HSDCTN_Xm8buVSkf_sO0eQQl5xZmMaNty8X4oAM-drrAaEQvym9MT7Fnmr3aVYhaFrXNNAyIe-pQ53z697lxLBeDGnbLYjQhU3xbJ9VdpYz8iPu13c5Bd5gigvFcz5Z5BTXE50UrXuqQbVgbikRy8vH8CwSAW7Gn\/s1700-e365\/works.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiZYI1-U2x1NxniUyNqyOamnEjLToB2HSDCTN_Xm8buVSkf_sO0eQQl5xZmMaNty8X4oAM-drrAaEQvym9MT7Fnmr3aVYhaFrXNNAyIe-pQ53z697lxLBeDGnbLYjQhU3xbJ9VdpYz8iPu13c5Bd5gigvFcz5Z5BTXE50UrXuqQbVgbikRy8vH8CwSAW7Gn\/s1700-e365\/works.jpg\" alt=\"\" border=\"0\" data-original-height=\"1056\" data-original-width=\"1211\"\/><\/a><\/div>\n<p>\u00abEach platform sends a distinct POST body to the same C2 URL \u2014 packages.npm.org\/product0 (macOS), packages.npm.org\/product1 (Windows), packages.npm.org\/product2 (Linux),\u00bb StepSecurity said. \u00abThis allows the C2 server to serve a platform-appropriate payload in response to a single endpoint.\u00bb<\/p>\n<p>The downloaded second-stage binary for macOS is a C++ RAT that fingerprints the system and beacons to a remote server every 60 seconds to retrieve commands for subsequent execution. It supports capabilities to run additional payloads, execute shell commands, enumerate the file system, and terminate the RAT.<\/p>\n<p>Once the main payload is launched, the Node.js malware also takes steps to perform three forensic cleanup steps by removing the postinstall script from the installed package directory, deleting the \u00abpackage.json\u00bb the references the postinstall hook to launch the dropper, and renaming \u00abpackage.md\u00bb to \u00abpackage.json.\u00bb<\/p>\n<p>It&#8217;s worth noting that the \u00abpackage.md\u00bb file is included in \u00abplain-crypto-js\u00bb and is a clean \u00abpackage.json\u00bb manifest without the postinstall hook that triggers the entire attack. In switching the package manifests, the idea is to avoid raising any red flags during post-infection inspection of the package.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/attack-stories-xmcyber-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi10JhdzuuQKeU6vIJGPRAeffB5FYR9ajRiOfpp6hmgsP5GCmDcMdEKpiEEUZjkua9Y9R__l-63FpqNwAFgZzIdNR5lPIJcvvyBKIAu_nN7Z1TJoVUXrEvfQcWlJ0QhqMshOARvU3_B94NJNDbp-SiKAVfPFPibh_jcBpTfSPmCFxxJkPqL44kIFXL1WGEo\/s728-e100\/fs-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>\u00abNeither malicious version contains a single line of malicious code inside Axios itself,\u00bb StepSecurity said. \u00abInstead, both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the Axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT).\u00bb<\/p>\n<p>Users are advised to perform the following actions to ascertain compromise &#8211;<\/p>\n<ul>\n<li>Check for the malicious Axios versions.<\/li>\n<li>Check for RAT artifacts: \u00ab\/Library\/Caches\/com.apple.act.mond\u00bb (macOS), \u00ab%PROGRAMDATA%\\wt.exe\u00bb (Windows), and \u00ab\/tmp\/ld.py\u00bb (Linux).<\/li>\n<li>Downgrade to Axios versions 1.14.0 or 0.30.3.<\/li>\n<li>Remove \u00abplain-crypto-js\u00bb from the \u00abnode_modules\u00bb directory.<\/li>\n<li>If RAT artifacts are detected, assume compromise and rotate all credentials on the system.<\/li>\n<li>Audit CI\/CD pipelines for runs that installed the affected versions.<\/li>\n<li>Block egress traffic to the command-and-control domain (\u00absfrclak[.]com\u00bb)<\/li>\n<\/ul>\n<p>Socket, in its own analysis of the attack, said identified two additional packages distributing the same malware through vendored dependencies &#8211;<\/p>\n<p>In the case of \u00ab@shadanai\/openclaw,\u00bb the package <a href=\"https:\/\/socket.dev\/npm\/package\/@shadanai\/openclaw\/files\/2026.3.31-1\/dist\/extensions\/slack\/node_modules\/plain-crypto-js\/setup.js\">vendors the malicious \u00abplain-crypto-js\u00bb payload<\/a> directly (e.g., @shadanai\/openclaw\/files\/2026.3.31-1\/dist\/extensions\/slack\/node_modules\/plain-crypto-js\/setup.js). On the other hand, \u00ab@qqbrowser\/openclaw-qbot@0.0.130,\u00bb ships a tampered \u00abaxios@1.14.1\u00bb in its \u00abnode_modules\/\u00bb folder with \u00abplain-crypto-js\u00bb injected as a dependency.<\/p>\n<p>\u00abThe real axios has only three dependencies (follow-redirects, form-data, proxy-from-env),\u00bb the supply chain security company <a href=\"https:\/\/socket.dev\/blog\/axios-npm-package-compromised\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe addition of plain-crypto-js is unambiguous tampering. When npm processes this vendored axios, it installs plain-crypto-js and triggers the same malicious postinstall chain.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency. Versions 1.14.1 and 0.30.4&hellip;<\/p>\n","protected":false},"author":1,"featured_media":442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[573,220,980,219,227,342,39,932,264,218],"class_list":["post-441","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-account","tag-attack","tag-axios","tag-chain","tag-compromised","tag-crossplatform","tag-npm","tag-pushes","tag-rat","tag-supply"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=441"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/441\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/442"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}