惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
J
Java Code Geeks
H
Help Net Security
B
Blog RSS Feed
G
Google Developers Blog
博客园 - 司徒正美
MongoDB | Blog
MongoDB | Blog
量子位
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
P
Proofpoint News Feed
小众软件
小众软件
人人都是产品经理
人人都是产品经理
云风的 BLOG
云风的 BLOG
V
V2EX
月光博客
月光博客
C
Check Point Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
Help Net Security
Help Net Security
Schneier on Security
Schneier on Security
D
DataBreaches.Net
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
T
Tenable Blog
L
LangChain Blog
Attack and Defense Labs
Attack and Defense Labs
Google DeepMind News
Google DeepMind News
N
News and Events Feed by Topic
Forbes - Security
Forbes - Security
F
Fortinet All Blogs
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
大猫的无限游戏
大猫的无限游戏
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Y
Y Combinator Blog
WordPress大学
WordPress大学
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
NISL@THU
NISL@THU
GbyAI
GbyAI
博客园 - Franky
S
Secure Thoughts
有赞技术团队
有赞技术团队
PCI Perspectives
PCI Perspectives
U
Unit 42

Truesec

Russian Intelligence Targets SOHO Routers - Truesec Cyber Warfare in the Iran War - Truesec Organized Cybercrime Merging with Other Crime - Truesec AI Used in Ransomware Attack The Fortibleed Campaign: Truesec's Experience Fortibleed: Truesec's Experience Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit - Truesec FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise - Truesec Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523) Typosquatting: When Your Domain Is Used Against You AI in Cybersecurity: Separating Operational Reality from Speculation Compromised @redhat-Cloud-Services Npm Packages Distribute Credential-Stealing Worm GitHub Hacks Highlights Need for Repository Security Installation of a Syslog Log Collector Critical Cisco Secure Workload Vulnerability Allows Unauthenticated Site Admin Access (CVE-2026-20223) Securing IT, OT, and IoT When the Digital Meets the Physical Russia Rolls Out Surveillance Through State-Backed “Super App” MAX Device Code Phishing via Fake File-Sharing Invitation Active Exploitation of PAN‑OS Authentication Portal RCE - Truesec Windows Client Security Baselines: When Assumptions Meet Incident Response Reality - Truesec Entra ID Password Protection: From “P@ssw0rd” to Protected GitHub Under Attack: How Small Exposures Snowball into Large‑Scale Compromises European Risks Linked to the U.S. – Iran Conflict Mythos: What It Actually Means and What It Does Not Russian Espionage Campaign Targets Home Routers How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409) Iranian APT Target US Critical Infrastructure Remote Access – Is VPN the Almighty Solution? RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) No Further Increase in Iranian Cyber Operations Malicious PyPI Package – LiteLLM Supply Chain Compromise Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users Multiple Vulnerabilities, One Critical, in Ubiquiti UniFi Network Application
Malicious Axios Packages Published to npm in New Supply Chain Compromise
2026-03-31 · via Truesec

Threat Insight

StepSecurity has identified a supply‑chain compromise affecting the widely used JavaScript HTTP client axios, where malicious versions were published to npm using compromised maintainer credentials. The affected packages deploy a cross‑platform Remote Access Trojan (RAT) during installation, potentially leading to full system compromise on developer workstations, CI/CD runners, and build environments[1].

The malicious axios versions do not contain malicious code within the axios source itself. Instead, they introduce a fake dependency, plain-crypto-js@4.2.1, which is never imported by axios. Its sole purpose is to execute a postinstall script during dependency installation, using postinstall as a dropper for the RAT[1].

The dropper contacts a live command‑and‑control (C2) server, retrieves an OS‑specific second‑stage payload, executes it, and then self‑deletes, replacing its own package.json with a clean decoy to hinder forensic detection[1].

The attack was highly coordinated, with the malicious dependency staged in advance, multiple payloads prepared, and both axios release branches compromised within a short time window.

Note that the packages has now been unpublished by npm and if you are attempting to install any version of plain-crypto-js now returns the security notice[1].

Affected Products

axios@1.14.1
axios@0.30.4

Recommended Actions

  • Uninstall compromise packages or pin to known-good versions: axios@1.14.0 (1.x branch) or axios@0.30.3 (0.x branch). until patched releases are verified.
  • Truesec recommends that you disable “postinstall” to reduce the risks of being exploited by a malware similar to this one.
  • Audit environments (CI/CD agents, developer laptops) that installed the affected versions for unauthorized publishes or credential theft.
  • Rotate npm tokens and other exposed secrets if these packages were present on machines with publishing credentials.
  • Monitor logs for unusual npm publish or package modification events.

If you require assistance in implementing these principles and best practices or tailoring them to your specific environment, please do not hesitate to contact Truesec for expert support.

For further reading on the subject, see your blog post Npm Supply-Chain Attacks: How to Reduce Risk

Detection

Truesec is currently conducting threat hunting for all MDR customers, specifically for domains, URLs, IPs and file hashes.

Compromised Packages[1]
axios@1.14.1shasum: 2553649f2322049666871cea80a5d0d6adc700ca
axios@0.30.4shasum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
plain-crypto-js@4.2.1shasum: 07d889e2dadce6f3910dcbc253317d28ca61c766

Network Indicators[1]
C2 domainsfrclak[.]com
C2 IP 142.11.206[.]73
C2 URL http://sfrclak[.]com:8000/6202033
C2 POST body — macOSpackages.npm.org/product0
C2 POST body — Windowspackages.npm.org/product1
C2 POST body — Linuxpackages.npm.org/product2

File System Indicators[1]
macOS/Library/Caches/com.apple.act.mond
Windows (persistent)%PROGRAMDATA%\wt.exe
Windows (temp, self-deletes)%TEMP%\6202033.vbs
Windows (temp, self-deletes)%TEMP%\6202033.ps1
Linux/tmp/ld.py

Attacker-Controlled Accounts[1]
jasonsaaymanCompromised legitimate axios maintainer account — email changed to ifstap@proton.me
nrwiseAttacker-created account — nrwise@proton.me — published plain-crypto-js
References

[1] https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan