Key Findings

• Attackers compromised the npm account of Axios maintainer Jason Saayman and published malicious versions 1.14.1 and 0.30.4 containing a hidden RAT malware dependency

• The malicious versions injected "plain-crypto-js@4.2.1" as a fake dependency that deploys cross-platform remote access trojans targeting Windows, macOS, and Linux

• Both poisoned versions were published within 39 minutes on March 31, 2026, bypassing GitHub Actions CI/CD verification through compromised npm credentials

• Given Axios' 83+ million weekly downloads and 400+ million monthly downloads, the potential scope of exposure is massive despite the relatively short attack window

• The malware used sophisticated obfuscation and self-deletion techniques to avoid detection, making forensic analysis difficult

• Two additional packages were found spreading the same malware through compromised Axios dependencies, demonstrating rapid supply chain propagation

Background

Axios is one of the most popular HTTP client libraries in the JavaScript ecosystem, widely used across frontend frameworks, backend services, and enterprise applications. With over 83 million weekly downloads, it serves as a critical dependency for millions of projects worldwide. On March 31, 2026, threat actors exploited this trust by compromising the npm account of the library's primary maintainer, enabling them to distribute malware at scale through a trusted, frequently-updated package.

Account Compromise and Attack Execution

Attackers obtained long-lived classic npm access tokens for maintainer Jason Saayman's account, likely through credential theft or account compromise. They changed the account's registered email to a Proton Mail address (ifstap@proton.me) under their control. The attacker published a clean version of "plain-crypto-js@4.2.0" on March 30 at 23:59 UTC, then quickly released a malicious version (4.2.1) the next day. Within minutes, this poisoned dependency was injected into two Axios releases, allowing the attackers to bypass normal security checks that typically require GitHub commits and OIDC verification.

Sophisticated Malware Design

The embedded malware operated as an obfuscated Node.js dropper that branched into platform-specific attack paths. On macOS, it used AppleScript to fetch a C++ RAT binary from a command-and-control server at sfrclak.com:8000, saved it disguised as a system cache file, and launched it via shell. On Windows, the dropper copied PowerShell to the Programs folder disguised as Windows Terminal, then executed a VBScript to fetch and run a PowerShell RAT. On Linux systems, it used shell commands to fetch and execute a Python RAT script in the background.

Each platform sent distinct POST requests to the same C2 endpoint (packages.npm.org/product0 for macOS, product1 for Windows, product2 for Linux), allowing the server to deliver targeted payloads. After execution, the malware deleted its installation files and restored clean package content to evade detection.

Capabilities and Persistence

The second-stage macOS RAT, reverse-engineered by security researchers before the C2 went offline, supported system fingerprinting, beaconing to remote servers every 60 seconds, shell command execution, file system enumeration, and additional payload deployment. The Linux variant shared identical functionality. Notably, the malware lacked persistence mechanisms, suggesting the attack aimed either at quick data exfiltration or leveraged the RAT's ability to execute binaries for deploying other persistence methods.

Secondary Infection Vectors

Security researchers discovered two additional packages spreading the same malware through contaminated Axios dependencies. The package @shadanai/openclaw embedded the malicious plain-crypto-js deep within its code using identical obfuscation and C2 infrastructure. Another package, @qqbrowser/openclaw-qbot, bundled a tampered Axios version that silently installed the malicious dependency. Both packages likely compromised automatically when downstream projects pulled the poisoned Axios release during their builds, demonstrating how a single supply chain breach can rapidly propagate across the ecosystem.

Detection and Mitigation

Users should immediately verify whether their projects include malicious Axios versions 1.14.1 or 0.30.4 or the plain-crypto-js package. Those affected must downgrade to safe versions (1.14.0 or 0.30.3), rotate all secrets and credentials, and scan systems for RAT artifacts. Automated security tools like Aikido and Socket provide indicators of compromise and automated scanning capabilities. Even though the malicious versions self-delete after execution, forensic traces may remain on affected systems. The attack demonstrates the need for enhanced supply chain security, including stricter npm account controls, multi-factor authentication for high-profile packages, and faster detection mechanisms for unauthorized package updates.

Sources

• https://securityaffairs.com/190221/security/attackers-hijack-axios-npm-account-to-spread-rat-malware.html

• https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

• https://www.facebook.com/HackRead/posts/suspected-hijacked-developer-accounts-used-to-push-npm-malware-with-packages-lik/1507504638041775/