Axios npm package compromised after maintainer account hijack delivers cross-platform RAT

Attackers hijacked the npm account of the lead Axios maintainer. On March 31, 2026, they published two poisoned versions of the HTTP client library. Both axios@1.14.1 and axios@0.30.4 silently install a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux.

Axios has approximately 100 million weekly downloads, according to Socket. Both malicious versions and the fake dependency have been removed from npm. Anyone who installed either version should assume compromise and rotate all credentials immediately.

Not a single line of Axios source code was modified. Both poisoned versions inject a new runtime dependency called plain-crypto-js@4.2.1, a package never imported in the Axios codebase. Its sole purpose is to execute a postinstall script that drops the RAT. The fake package disguises itself as the legitimate crypto-js library, copying its description, author name, and repository URL.

The attack was staged 18 hours in advance. On March 30 at 05:57 UTC, npm user "nrwise" published a clean version of plain-crypto-js@4.2.0 with no payload. At 23:59 UTC the same day, version 4.2.1 with the malicious payload went live. Socket's automated detection flagged it within six minutes.

axios@1.14.1 appeared on npm at 00:21 UTC on March 31. The 0.x branch followed at 01:00 UTC. Both current and legacy release branches were poisoned within 39 minutes.

The attacker compromised the "jasonsaayman" npm account. The registered email was changed to ifstap@proton.me. Both versions were published via the npm CLI, bypassing the project's GitHub Actions CI/CD pipeline entirely. The real maintainer was locked out.

This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct.

— Ashish Kurmi, security researcher, StepSecurity

StepSecurity believes the attack vector was a long-lived classic npm access token. Neither malicious version has a corresponding GitHub tag. Version 1.14.0 (the last legitimate release, published March 27) carries SLSA provenance attestations absent from 1.14.1.

The dropper (setup.js) executes via npm's postinstall hook. On macOS, an AppleScript payload fetches a trojan binary from sfrclak[.]com:8000. The binary is saved to /Library/Caches/com.apple.act.mond, a path mimicking a legitimate Apple process. It launches via /bin/zsh and the AppleScript file is deleted.

On Windows, the dropper copies PowerShell to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal). A VBScript in the temp directory fetches a PowerShell RAT script from the same C2 server. On Linux, a Python RAT script is fetched and saved to /tmp/ld.py, then executed in the background using nohup.

The macOS binary is a C++ RAT. It fingerprints the system, beacons every 60 seconds, and supports shell command execution, file system enumeration, and additional payload delivery. The Linux variant is an unobfuscated Python script. On first contact, it sends a directory listing of $HOME, $HOME/.config, $HOME/Documents, and $HOME/Desktop.

SafeDep noted a bug on line 156 of the Linux RAT where it references an undefined variable. That suggests the code was copied from another variant.

StepSecurity confirmed the malware's speed via runtime analysis. Their Harden-Runner tool detected a C2 connection 1.1 seconds after running npm install.

Forensic evasion was built into the dropper. After deploying the RAT, it removes the postinstall script from the package directory. It deletes the package.json that references the malicious hook, then renames a pre-staged package.md (a clean manifest) to package.json.

Anyone inspecting node_modules/plain-crypto-js afterward sees an innocent-looking package. The folder's presence in node_modules is sufficient proof the dropper ran.

Socket identified two additional packages distributing the same malware. @shadanai/openclaw vendors the malicious plain-crypto-js payload directly. @qqbrowser/openclaw-qbot@0.0.130 ships a tampered axios@1.14.1 in its own node_modules/ folder. Socket noted these packages likely picked up the malicious dependency transitively while the poisoned Axios was still the latest version.

Caret ranges like ^1.14.0 or ^0.30.0 would pull the compromised version automatically. Within hours, downstream packages already contained the malware, whether through deliberate inclusion or automated dependency resolution.

Publish access on npm is tied to individual accounts, not to verified CI pipelines. A compromised token gives an attacker the ability to publish any version of any package that account maintains, without touching the source repository and without generating a GitHub tag. The provenance gap between Axios 1.14.0 and 1.14.1 is detectable, but only if organizations are checking SLSA attestations.

Socket stated the attack is not linked to the recent TeamPCP campaigns. The methodology differs. TeamPCP compromises CI/CD pipelines. This attack used account takeover plus dependency injection.

The timing is notable, though. This attack comes three days after TeamPCP compromised Telnyx on PyPI using credentials stolen through the LiteLLM supply chain attack.

C2 indicators include sfrclak[.]com (IP 142.11.206.73, port 8000). On macOS, check for /Library/Caches/com.apple.act.mond. On Windows, look for %PROGRAMDATA%\wt.exe. The attacker's registered emails are ifstap@proton.me and nrwise@proton.me.

On Linux, check /tmp/ld.py. On all platforms, look for $TMPDIR/6202033.

Downgrade to axios@1.14.0 or axios@0.30.3. Remove plain-crypto-js from node_modules and reinstall with npm install --ignore-scripts. If RAT artifacts are found, rotate npm tokens, cloud keys, SSH keys, CI/CD secrets, and API tokens.

Audit CI/CD pipelines for any runs that installed affected versions after March 31, 00:21 UTC. Block egress traffic to sfrclak[.]com and 142.11.206.73.