Close Menu
    What's Hot

    The great AI layoff is turning into the great AI rehire

    Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines

    How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News

    Facebook X (Twitter) Instagram
    Trending
    • The great AI layoff is turning into the great AI rehire
    • Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines
    • How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News
    • Wayfair Coupons: Up to 80% Off July 2026
    • Today on Sky Sports Racing: Bath, Lingfield, Yarmouth and Uttoxeter | Racing News
    • OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
    • Years After He Quit Smoking, a Lung Cancer Scan Saved His Life
    • South China Sea Nine-Dash Line Ruling, 10 Years On
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

    adminBy adminMarch 31, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

    The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency.

    Versions 1.14.1 and 0.30.4 of Axios have been found to inject “plain-crypto-js” version 4.2.1 as a fake dependency.

    According to StepSecurity, the two versions were published using the compromised npm credentials of the primary Axios maintainer (“jasonsaayman”), allowing the attackers to bypass the project’s GitHub Actions CI/CD pipeline.

    “Its sole purpose is to execute a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux,” security researcher Ashish Kurmi said. “The dropper contacts a live command and control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.”

    Users who have Axios versions 1.14.1 or 0.30.4 installed are required to rotate their secrets and credentials with immediate effect, and downgrade to a safe version (1.14.0 or 0.30.3). The malicious versions, as well as “plain-crypto-js,” are no longer available for download from npm.

    With more than 83 million weekly downloads, Axios is one of the most widely used HTTP clients in the JavaScript ecosystem across frontend frameworks, backend services, and enterprise applications.

    Cybersecurity

    “This was not opportunistic,” Kurmi added. “The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct.”

    The timeline of the attack is as follows –

    • March 30, 2026, 05:57 UTC – A clean version of the package “plain-crypto-js@4.2.0” is published.
    • March 30, 2026, 23:59 UTC – A new version (“plain-crypto-js@4.2.1”) with the payload added is published.
    • March 31, 2026, 00:21 UTC – A new version of Axios (“axios@1.14.1”) that injects “plain-crypto-js@4.2.1” as a runtime dependency is published using the compromised “jasonsaayman” account.
    • March 31, 2026, 01:00 UTC – A new version of Axios (“axios@0.30.4”) that injects “plain-crypto-js@4.2.1” as a runtime dependency is published using the compromised “jasonsaayman” account.

    According to StepSecurity, the threat actor behind the campaign is said to have compromised the npm account of “jasonsaayman” and changed its registered email address to a Proton Mail address under their control (“ifstap@proton.me”). The “plain-crypto-js” was published by an npm user named “nrwise” with the email address “nrwise@proton.me.”

    It’s believed that the attacker obtained a long-lived classic npm access token for the account to take control and directly publish poisoned versions of Axios to the registry.

    The embedded malware, for its part, is launched via an obfuscated Node.js dropper (“setup.js”) and is designed to branch into one of three attack paths based on the operating system –

    • On macOS, it runs an AppleScript payload to fetch a trojan binary from an external server (“sfrclak.com:8000”), save it as “/Library/Caches/com.apple.act.mond,” change its permissions to make it executable, and launch it in the background via /bin/zsh. The AppleScript file is deleted after execution to cover up the tracks.
    • On Windows, it locates the PowerShell binary path, copies it to the “%PROGRAMDATA%\wt.exe” (disguising it as the Windows Terminal app), and writes a Visual Basic Script (VBScript) to the temp directory and executes it. The VBScript contacts the same server to fetch a PowerShell RAT script and execute it. The downloaded file is deleted.
    • On other platforms (e.g., Linux), the dropper runs a shell command via Node.js’s execSync to fetch a Python RAT script from the same server, save it to “/tmp/ld.py,” and execute it in the background using the nohup command.

    “Each platform sends a distinct POST body to the same C2 URL — packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux),” StepSecurity said. “This allows the C2 server to serve a platform-appropriate payload in response to a single endpoint.”

    The downloaded second-stage binary for macOS is a C++ RAT that fingerprints the system and beacons to a remote server every 60 seconds to retrieve commands for subsequent execution. It supports capabilities to run additional payloads, execute shell commands, enumerate the file system, and terminate the RAT.

    SafeDep’s analysis of the Linux RAT has revealed that it supports the same commands as its macOS counterpart. The absence of a persistence mechanism means that the malware does not survive across reboots. This indicates that the attack is either geared towards quick data exfiltration or leverages the RAT’s ability to run binaries and shell commands to deploy persistence.

    “The attack is notable for its restraint. No axios source files were modified, making traditional diff-based code review less likely to catch it,” SafeDep said. “The malicious behavior lives entirely in a transitive dependency, triggered automatically by npm’s postinstall lifecycle.”

    Once the main payload is launched, the Node.js malware also takes steps to perform three forensic cleanup steps by removing the postinstall script from the installed package directory, deleting the “package.json” the references the postinstall hook to launch the dropper, and renaming “package.md” to “package.json.”

    It’s worth noting that the “package.md” file is included in “plain-crypto-js” and is a clean “package.json” manifest without the postinstall hook that triggers the entire attack. In switching the package manifests, the idea is to avoid raising any red flags during post-infection inspection of the package.

    Cybersecurity

    “Neither malicious version contains a single line of malicious code inside Axios itself,” StepSecurity said. “Instead, both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the Axios source, whose only purpose is to run a postinstall script that deploys a cross-platform remote access trojan (RAT).”

    Users are advised to perform the following actions to ascertain compromise –

    • Check for the malicious Axios versions.
    • Check for RAT artifacts: “/Library/Caches/com.apple.act.mond” (macOS), “%PROGRAMDATA%\wt.exe” (Windows), and “/tmp/ld.py” (Linux).
    • Downgrade to Axios versions 1.14.0 or 0.30.3.
    • Remove “plain-crypto-js” from the “node_modules” directory.
    • If RAT artifacts are detected, assume compromise and rotate all credentials on the system.
    • Audit CI/CD pipelines for runs that installed the affected versions.
    • Block egress traffic to the command-and-control domain (“sfrclak[.]com”)

    Socket, in its own analysis of the attack, said identified two additional packages distributing the same malware through vendored dependencies –

    In the case of “@shadanai/openclaw,” the package vendors the malicious “plain-crypto-js” payload directly (e.g., @shadanai/openclaw/files/2026.3.31-1/dist/extensions/slack/node_modules/plain-crypto-js/setup.js). On the other hand, “@qqbrowser/openclaw-qbot@0.0.130,” ships a tampered “axios@1.14.1” in its “node_modules/” folder with “plain-crypto-js” injected as a dependency.

    “The real axios has only three dependencies (follow-redirects, form-data, proxy-from-env),” the supply chain security company said. “The addition of plain-crypto-js is unambiguous tampering. When npm processes this vendored axios, it installs plain-crypto-js and triggers the same malicious postinstall chain.”

    account attack Axios Chain Compromised CrossPlatform npm pushes RAT Supply
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleEskom profits rise again but tariff hikes remain the real story – The Mail & Guardian
    Next Article 50 years of Apple pushing tech forward, for better or worse
    admin
    • Website

    Related Posts

    OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

    July 15, 2026

    How Pentera Turns AI Security Workflows into Validation Engines

    July 15, 2026

    Study of 85 Crypto Wallet Extensions Finds Address Leaks and Cross-Site Tracking Risks

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    The great AI layoff is turning into the great AI rehire

    Trump Says His Thursday Speech Will Focus on Election Security and Voting Machines

    How the failed 2016 coup reshaped Turkiye’s civil-military relations | Turkey Attempted Coup News

    Wayfair Coupons: Up to 80% Off July 2026

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by