The Axios supply chain attack on March 31, 2026 hijacked an npm maintainer account to publish poisoned Axios releases that installed a cross-platform remote access trojan via a phantom dependency. The attacker used the fake package plain-crypto-js to run a post-install dropper that contacted C2 at http://sfrclak.com:8000/6202033 and erased traces by replacing package metadata. #Axios #plain-crypto-js
Keypoints
- Malicious Axios versions 1.14.1 and 0.30.4 were manually published using compromised npm maintainer credentials.
- The attacker injected a phantom dependency, plain-crypto-js@^4.2.1, which executed a post-install script to deploy a RAT.
- The RAT contacted a C2 server at sfrclak.com and delivered OS-specific payloads for macOS, Windows, and Linux.
- The malicious releases bypassed GitHub Actions/ OIDC trusted publishing, lacking trusted publisher metadata and Git commits.
- Developers who installed the affected versions should rotate credentials, review logs, rebuild systems, and reinstall dependencies with scripts disabled.
Read More: https://thecyberexpress.com/axios-supply-chain-attack-npm-malware/