Axios Supply Chain Attack Pushes Cross-Platform RAT with Compromised npm Account

A popular HTTP client known as Axios has suffered a supply chain attack after two recently published versions of the npm package introduced malicious dependencies.

Versions 1.14.1 and 0.30.4 of Axios were found to inject “plain-crypto-js” version 4.2.1 as a false dependency.

According to StepSecurity, these two versions were published using the vulnerable npm credentials of an Axios maintainer (“jasonsaayman”), allowing attackers to bypass the GitHub Actions CI/CD project pipeline.

“Its sole purpose is to use an installation script that acts as a cross-platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux,” said security researcher Ashish Kurmi. “The dropper communicates with a live command and control server and delivers platform-specific second-stage payloads. After execution, the malware deletes itself and replaces its package.json with a clean version to avoid expert detection.”

Users with Axios versions 1.14.1 or 0.30.4 installed need to change their passwords and credentials immediately, and downgrade to a secure version (1.14.0 or 0.30.3). The malicious versions, along with “plain-crypto-js,” are no longer available for download from npm.

With more than 83 million weekly downloads, Axios is one of the most widely used HTTP clients in the JavaScript ecosystem across front-end frameworks, back-end services, and business applications.

“This was no chance,” added Kurmi. “A brutal attack was planned 18 hours in advance. Three different payloads were designed in advance for three operational systems. Both branches were released within 39 minutes. All leads were designed to self-destruct.”

The attack time is as follows –

• March 30, 2026, 05:57 UTC – A clean version of the package “plain-crypto-js@4.2.0” has been published.
• March 30, 2026, 23:59 UTC – A new version (“plain-crypto-js@4.2.1”) with additional payload has been published.
• March 31, 2026, 00:21 UTC – A new version of Axios (“axios@1.14.1”) that injects “plain-crypto-js@4.2.1” as a runtime dependency has been published using the vulnerable account “jasonsaayman”.
• March 31, 2026, 01:00 UTC – A new version of Axios (“axios@0.30.4”) that injects “plain-crypto-js@4.2.1” as a runtime dependency has been published using the vulnerable “jasonsaayman” account.

According to StepSecurity, a campaign threat actor allegedly compromised the npm account of “jasonsaayman” and changed his registered email address to a Proton Mail address (“ifstap@proton.me”). “plain-crypto-js” was published by an npm user named “nrwise” with the email address “nrwise@proton.me.”

It is believed that the attacker obtained an old npm long-term access token for the account to control and directly publish poisoned versions of Axios to the directory.

Embedded malware, on the other hand, is introduced using the Obfuscated Node.js dropper (“setup.js”) and is designed to branch into one of three attack methods based on the operating system –

• On macOS, it uses an AppleScript payload to download a trojan binary from an external server (“sfrclak.com:8000”), save it as “/Library/Caches/com.apple.act.mond,” change its permissions to make it executable, and launch it in the background via /bin/zsh. The AppleScript file is deleted after execution to close the tracks.
• On Windows, it finds the PowerShell binary path, copies it to “%PROGRAMDATA%wt.exe” (disguises it as a Windows Terminal application), then writes a Visual Basic Script (VBScript) to the temporary directory and executes it. VBScript communicates with the same server to download the PowerShell RAT script and execute it. The downloaded file is deleted.
• On some platforms (eg, Linux), the dropper uses a shell command using Node.js’s execSync to download the Python RAT script from the same server, save it to “/tmp/ld.py,” and execute it in the background using the nohup command.

“Each platform sends a different POST body to the same C2 URL – packages.npm.org/product0 (macOS), packages.npm.org/product1 (Windows), packages.npm.org/product2 (Linux),” StepSecurity said. “This allows the C2 server to provide the correct payment for the platform in response to a single endpoint.”

The second stage binary downloaded for macOS is a C++ RAT that polls the system and beacons to a remote server every 60 seconds to receive commands for subsequent execution. It supports the capabilities of running additional payloads, executing shell commands, enumerating the file system, and terminating the RAT.

SafeDep’s analysis of the Linux RAT revealed that it supports the same commands as its macOS counterpart. The lack of persistence means that the malware is not always restarted. This indicates that the attack is aimed at rapid data extraction or exploits the RAT’s ability to use binary and shell commands to exploit persistence.

“The attack is notable for its self-control. No axios source files were modified, making traditional code reviews less likely to be intercepted,” SafeDep said. “The malicious behavior lives entirely on dynamic dependencies, which are automatically started by the npm install lifecycle.”

Once the main payload is launched, the Node.js malware also takes steps to perform a three-step cleanup process by removing the post-installation script from the installed package directory, removing the “package.json” deployment hook pointers to launch the dropper, and renaming “package.md” to “package.json.”

It’s worth noting that the “package.md” file is included in “plain-crypto-js” and is a pure “package.json” manifest without the install hook that starts the attack. In package exchange, the idea is to avoid raising any red flags during package inspection after infection.

“No malicious version contains a single line of malicious code within Axios itself,” StepSecurity said. “Instead, they both inject a fake dependency, plain-crypto-js@4.2.1, a package that is never imported anywhere in the Axios source, whose sole purpose is to run a postinstall script that uses a cross-platform access trojan (RAT).”

Users are advised to do the following steps to get compatibility –

• Check for malicious versions of Axios.
• Check the RAT artifacts: “/Library/Caches/com.apple.act.mond” (macOS), “%PROGRAMDATA%wt.exe” (Windows), and “/tmp/ld.py” (Linux).
• Downgrade to Axios versions 1.14.0 or 0.30.3.
• Remove “plain-crypto-js” from the “node_modules” directory.
• If RAT artifacts are detected, take a compromise and rotate all credentials in the system.
• Check the CI/CD pipelines for programs that have installed the affected versions.
• Block traffic flow to the command and control domain (“sfrclak[.]com”)

Socket, in its analysis of the attack, said it identified two additional packages that distribute the same malware in a commercial dependency –

In the case of “@shadanai/openclaw,” the package sells a malicious payload of “plain-crypto-js” directly (eg, @shadanai/openclaw/files/2026.3.31-1/dist/extensions/slack/node_modules/plain-crypto-js/setup.js). On the other hand, “@qqbrowser/openclaw-qbot@0.0.130,” deploys a compromised “axios@1.14.1” in its “node_modules/” folder with “plain-crypto-js” injected as a dependency.

“The real axios has only three dependencies (following redirect, form data, proxy-from-env),” said the supply chain security company. “The addition of plain-crypto-js is a clear contradiction. When npm processes this axios transaction, it installs plain-crypto-js and triggers a malicious chain of post installs.”