Axios Hijacked: npm Account Takeover Deploys Cross-Platform RAT to Millions
On March 31, 2026, two malicious versions of Axios - the JavaScript HTTP client with over 83 million weekly downloads - were published to npm after an attacker hijacked the lead maintainer's account. Versions 1.14.1 and 0.30.4 injected a phantom dependency that silently installs a cross-platform remote access trojan on macOS, Windows, and Linux. The malicious versions were live for roughly three hours before npm removed them.
If your lockfile contains either affected version, assume your development machine or CI runner has been compromised.
TL;DR
- A compromised npm access token was used to publish malicious Axios versions
1.14.1and0.30.4, bypassing all CI/CD and OIDC provenance controls - Both versions introduce a hidden dependency (
plain-crypto-js) that deploys a persistent, cross-platform remote access trojan targeting macOS, Windows, and Linux - The payload erases all forensic traces within seconds of execution, rendering post-install inspection ineffective
- Affected organizations should downgrade immediately, investigate systems for RAT artifacts, and rotate all credentials accessible from compromised environments
What happened?
The attacker obtained a long-lived classic npm access token belonging to jasonsaayman, the lead maintainer of Axios. They changed the account's email to an attacker-controlled ProtonMail address, locking the legitimate owner out of recovery, and published poisoned packages directly via the npm CLI - bypassing the project's normal GitHub Actions OIDC Trusted Publisher workflow.
Eighteen hours earlier, a separate attacker account (nrwise) had published a clean decoy package called [email protected] to build publishing history. The malicious [email protected] went live at 23:59 UTC on , and within the next hour both [email protected] and [email protected] were published with it injected as a runtime dependency - hitting both active release branches. The compromised maintainer's permissions exceeded those of the other collaborators, hampering initial response.
How did the payload work?
The only change in both malicious Axios versions was a single new dependency: "plain-crypto-js": "^4.2.1". This package is never imported in the Axios source - it exists solely to run a postinstall hook that triggers an obfuscated dropper script. The dropper detects the OS and fetches a platform-specific RAT from the C2 server (sfrclak[.]com:8000):
- macOS: Downloads a C++ binary to
/Library/Caches/com.apple.act.mond(mimicking Apple's naming). The RAT fingerprints the system, beacons every 60 seconds, and supports remote commands including binary execution, shell commands, and filesystem enumeration. - Windows: Copies PowerShell to
%PROGRAMDATA%\wt.exe(disguised as Windows Terminal), downloads and executes a hidden.ps1script via a VBScript wrapper. - Linux: Downloads a Python RAT to
/tmp/ld.pyand launches it in the background.
After launching the payload, the dropper erases all evidence - deleting itself, removing the malicious package.json, and swapping in a pre-staged clean manifest. The first C2 connection fires 1.1 seconds into npm install.
Which versions are affected?
|
Component |
Affected Versions |
SHA-256 |
Exposure Window |
Safe Versions |
|
axios (npm) |
1.14.1 |
|
~2h 54m (, 00:21–03:15 UTC) |
1.14.0 |
|
axios (npm) |
0.30.4 |
|
~2h 15m (, 01:00–03:15 UTC) |
0.30.3 |
|
plain-crypto-js (npm) |
4.2.1 |
|
~4h 27m ( 23:59– 04:26 UTC) |
None - should not exist in your dependencies |
No CVE was assigned - this is a supply chain compromise, not a code vulnerability. The malicious dependency is tracked as GHSA-2x9r-6wxq-hrr7 and classified as malware.
What should your team do now?
Check your lockfiles for [email protected] or [email protected]. Search for node_modules/plain-crypto-js/ - this directory should not exist in any legitimate project. Downgrade immediately to [email protected] or [email protected]
If the affected version was installed on any machine or CI runner, search for RAT artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux). If found, treat the system as fully compromised - rebuild from a clean state and rotate every accessible credential. Block sfrclak[.]com and 142.11.206.73 at the network level.
Or, skip the manual work - we've open-sourced ready-to-run remediation playbooks for this and other supply chain incidents. Drop them into your AI coding assistant and get answers in minutes.
Indicators of compromise
|
Indicator |
Details |
|
Malicious packages |
|
|
C2 |
|
|
macOS artifact |
|
|
Windows artifacts |
|
|
Linux artifact |
|
|
Phantom dependency |
|
|
Attacker account |
|
|
Compromised account |
|
Full SHA-256 hashes are listed in the affected versions table above.
Payload hashes
These are the RAT files fetched from the C2 server during installation - not present in the npm registry. Use them to verify suspected files found on compromised machines.
|
File |
Platform |
SHA-256 |
|
|
All (dropper) |
|
|
|
macOS |
|
|
|
Windows |
|
|
|
Linux |
|
Key takeaways
A single long-lived token is a single point of failure. One stolen classic npm token - no IP restriction, no expiration, no OIDC binding - was enough to poison a package used by millions.
Postinstall hooks are an open door. The entire attack chain completes in 1.1 seconds via a postinstall hook on a transitive dependency. Enforce --ignore-scripts in CI/CD.
Self-destructing malware defeats post-hoc auditing. This payload erases itself within seconds. Runtime detection during install is the only way to catch it.
Have you checked your lockfiles? We'd like to hear how your team is responding.
Download our new whitepaper.
