An attacker used compromised credentials of an Axios maintainer to publish poisoned npm packages that added a malicious dependency and executed a postinstall script to deploy a platform-specific Remote Access Trojan. Developers who ran npm install for the affected versions should treat build machines as fully compromised and rotate secrets immediately. #Axios #plain-crypto-js
Keypoints
- An attacker published malicious npm releases [email protected] and [email protected] by using compromised maintainer credentials, injecting a dependency [email protected] that is not referenced in the source.
- The malicious postinstall script (node setup.js) downloaded an obfuscated dropper which then retrieved platform-specific RAT payloads for macOS, Windows, and Linux.
- The compromised versions do not appear in the project’s official GitHub tags, so the impact is primarily on environments that resolved those npm versions during install/build steps.
- Any workflow that ran npm install with scripts enabled on these packages may have exposed secrets (cloud keys, deploy keys, npm tokens), meaning build machines should be considered fully compromised.
- The malware dropper cleans up traces from node_modules/plain-crypto-js so manual inspection of installed package directories or npm audit may not reveal the compromise.
- Observed IOCs include a domain (sfrclak[.]com), an IP (142.11.206.73), platform-specific temporary file paths, and SHA-256 checksums for the malicious packages.
MITRE Techniques
- [T1195.002 ] Supply Chain Compromise – Compromised the software dependency chain by publishing poisoned npm packages to npm: ‘an attacker published poisoned packages to npm: [email protected] and [email protected].’
- [T1078 ] Valid Accounts – Used compromised maintainer credentials to push malicious releases: ‘Using compromised credentials of a lead maintainer of Axios an attacker published poisoned packages to npm.’
- [T1059.006 ] Command and Scripting Interpreter: Node.js – Executed a postinstall Node.js script that downloaded a dropper: ‘the postinstall script (node setup.js) that runs automatically on npm install downloaded an obfuscated dropper.’
- [T1027 ] Obfuscated Files or Information – Employed an obfuscated dropper and cleaned artifacts to evade detection: ‘downloaded an obfuscated dropper’ and ‘Any post-infection inspection… will show a completely clean manifest.’
- [T1071.001 ] Application Layer Protocol: Web Protocols – Retrieved RAT payloads and communicated with remote hosts using web protocols (domain/IP): ‘downloaded an obfuscated dropper that retrieves a platform‑specific RAT payload’ and ‘Domain: sfrclak[.]com’ / ‘IP address: 142.11.206.73.’
Indicators of Compromise
- [Domain ] payload/C2 host – sfrclak[.]com
- [IP address ] payload/C2 host – 142.11.206.73
- [File paths ] temporary/dropper files used during execution – /Library/Caches/com.apple.act.mond, /tmp/ld.py, and Windows temporary scripts such as %TEMP%6202033.vbs/.ps1 (briefly created during execution)
- [Malicious npm packages & checksums ] compromised packages published to npm – [email protected] (sha-256: 2553649f2322049666871cea80a5d0d6adc700ca), [email protected] (sha-256: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71), [email protected] (sha-256: 07d889e2dadce6f3910dcbc253317d28ca61c766)
Read more: https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust