Malicious versions of the popular HTTP client library spread a Remote Access Trojan across multiple platforms.
Category: Technology
In a concerning incident that highlights the vulnerabilities within software supply chains, the widely used JavaScript library Axios was compromised on March 31, 2026. An unknown threat actor hijacked the npm account of a lead maintainer and published two malicious versions of the package—[email protected] and [email protected]. This attack has the potential to affect countless developers and organizations, as Axios is utilized in approximately 80% of cloud and code environments, with around 100 million downloads per week.
The malicious versions introduced a dependency on a trojanized package called [email protected], which executes a post-install script that silently installs a cross-platform Remote Access Trojan (RAT) targeting macOS, Windows, and Linux systems. Security firm StepSecurity first identified the compromised packages, which were published using the compromised credentials of maintainer Jason Saayman, who was locked out of his account shortly after the attack.
What makes this attack particularly insidious is that the malicious code was not present in Axios itself. Instead, the attacker injected a fake dependency that was never imported in the Axios source code, allowing the malicious payload to evade detection by standard security measures. The dropper script, setup.js, contacts a command-and-control server and delivers platform-specific payloads, which then execute and self-delete to avoid forensic detection.
According to StepSecurity, the attack was carefully pre-staged. The attacker first published a clean version of [email protected] to establish a credible npm publishing history. This decoy package contained legitimate library code and no malicious functionality, effectively bypassing automated security scanning tools. The malicious version, [email protected], was published roughly 18 hours later, followed by the compromised Axios versions within a short time frame.
Here's a timeline of the key events:
Once installed, the dropper script executes and communicates with the command-and-control server at sfrclak.com:8000, downloading platform-specific payloads. On macOS, the payload is saved to /Library/Caches/com.apple.act.mond; on Windows, it disguises itself as the Windows Terminal executable in %PROGRAMDATA%/wt.exe; and on Linux, it saves a Python script to /tmp/ld.py.
After executing the payload, the dropper performs a cleanup process: it deletes itself, removes the malicious package.json file containing the post-install hook, and replaces it with a clean version. This means that developers inspecting their node_modules folder after the fact would find no indication of compromise, making the attack even more dangerous.
StepSecurity has warned that any developer or organization using the compromised versions should assume that their systems have been compromised. Immediate actions are recommended, including downgrading to safe versions of Axios (1.14.0 or 0.30.3), removing the plain-crypto-js directory, and rotating any secrets or credentials that may have been exposed during the attack.
With Axios being one of the most popular HTTP client libraries in the JavaScript ecosystem, the blast radius of this attack is enormous. The library is used in web applications, backend APIs, mobile applications, serverless functions, CI/CD automation pipelines, and developer workstations across various industries.
As organizations scramble to assess their exposure, the incident serves as a stark reminder of the importance of supply chain security. The sophistication of this attack—using a hijacked maintainer account, pre-staging a clean version of a dependency, and employing a self-destruct mechanism—demonstrates that attackers are becoming increasingly adept at bypassing traditional security measures.
Security teams are advised to monitor for suspicious activity, particularly outbound connections to the command-and-control server, and to audit their environments for any signs of the malicious packages. The incident has prompted discussions in the developer community about the need for enhanced security protocols and practices to protect against similar threats in the future.
In light of this attack, developers and organizations should remain vigilant and proactive in their security practices, ensuring they are prepared for potential threats that may arise in the ever-evolving cybersecurity threat environment.