Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

2026-03-31

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Axios HTTP client versions 1.14.1 and 0.30.4 were poisoned via a compromised npm maintainer account, deploying a cross-platform RAT.

•Fake dependency "plain-crypto-js@4.2.1" was injected into both versions, triggering a malicious postinstall script on install
•Attacker hijacked maintainer "jasonsaayman"'s npm account using a stolen long-lived token, bypassing GitHub Actions CI/CD
•RAT dropper targets macOS (AppleScript), Windows (PowerShell/VBScript), and Linux (Python), all beaconing to C2 server "sfrclak.com"
•Attack was premeditated: payload staged 18 hours early, both release branches hit within 39 minutes, with forensic self-cleanup
•Users must downgrade to 1.14.0/0.30.3, rotate all credentials, check for RAT artifacts, and block traffic to "sfrclak.com"

Related Articles