Key Findings Attackers compromised the npm account of Axios maintainer Jason Saayman and published malicious versions 1.14.1 and 0.30.4 containing a hidden RAT malware dependency The malicious versions injected "plain-crypto-js@4.2.1" as a fake dependency that deploys cross-platform remote access trojans targeting Windows, macOS, and Linux Both poisoned versions were published within 39 minutes on March 31, 2026, bypassing GitHub Actions CI/CD verification through compromised
