Axios, the widely used open-source JavaScript HTTP client, was hit by a critical software supply chain attack after an unknown actor hijacked a lead maintainer’s npm account and manually published two poisoned releases that introduced a malicious dependency. The injected package runs an obfuscated postinstall script acting as a cross-platform RAT dropper that fetches stage‑2 payloads from sfrclak.com, overwrites package.json, and deletes traces while exposing developer and CI/CD secrets. #Axios #sfrclak
Keypoints
- An unknown threat actor hijacked the npm account of lead maintainer jasonsaayman to publish two poisoned Axios releases.
- The malicious releases injected a fake dependency containing a heavily obfuscated postinstall script.
- The postinstall script functions as a cross-platform RAT dropper that downloads platform-specific stage‑2 payloads from sfrclak.com.
- The malware overwrites its package.json and removes artifacts to evade post-incident forensic detection.
- Compromised assets may include maintainer npm credentials, developer workstation credentials, SSH private keys, cloud tokens (AWS, GCP, Azure), CI/CD secrets, and .env file contents.
Read More: https://dailydarkweb.net/axios-npm-package-compromised-in-supply-chain-attack/