The malicious axios versions do not contain malicious code within the axios source itself. Instead, they introduce a fake dependency, plain-crypto-js@4.2.1, which is never imported by axios. Its sole purpose is to execute a postinstall script during dependency installation, using postinstall as a dropper for the RAT[1].

The dropper contacts a live command‑and‑control (C2) server, retrieves an OS‑specific second‑stage payload, executes it, and then self‑deletes, replacing its own package.json with a clean decoy to hinder forensic detection[1].

The attack was highly coordinated, with the malicious dependency staged in advance, multiple payloads prepared, and both axios release branches compromised within a short time window.

Note that the packages has now been unpublished by npm and if you are attempting to install any version of plain-crypto-js now returns the security notice[1].

Affected Products

axios@1.14.1
axios@0.30.4

Recommended Actions

• Uninstall compromise packages or pin to known-good versions: axios@1.14.0 (1.x branch) or axios@0.30.3 (0.x branch). until patched releases are verified.
• Truesec recommends that you disable “postinstall” to reduce the risks of being exploited by a malware similar to this one.
• Audit environments (CI/CD agents, developer laptops) that installed the affected versions for unauthorized publishes or credential theft.
• Rotate npm tokens and other exposed secrets if these packages were present on machines with publishing credentials.
• Monitor logs for unusual npm publish or package modification events.

If you require assistance in implementing these principles and best practices or tailoring them to your specific environment, please do not hesitate to contact Truesec for expert support.

For further reading on the subject, see your blog post Npm Supply-Chain Attacks: How to Reduce Risk

Detection

Truesec is currently conducting threat hunting for all MDR customers, specifically for domains, URLs, IPs and file hashes.

Compromised Packages[1]
axios@1.14.1shasum: 2553649f2322049666871cea80a5d0d6adc700ca
axios@0.30.4shasum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
plain-crypto-js@4.2.1shasum: 07d889e2dadce6f3910dcbc253317d28ca61c766

Network Indicators[1]
C2 domainsfrclak[.]com
C2 IP 142.11.206[.]73
C2 URL http://sfrclak[.]com:8000/6202033
C2 POST body — macOSpackages.npm.org/product0
C2 POST body — Windowspackages.npm.org/product1
C2 POST body — Linuxpackages.npm.org/product2

File System Indicators[1]
macOS/Library/Caches/com.apple.act.mond
Windows (persistent)%PROGRAMDATA%\wt.exe
Windows (temp, self-deletes)%TEMP%\6202033.vbs
Windows (temp, self-deletes)%TEMP%\6202033.ps1
Linux/tmp/ld.py

Attacker-Controlled Accounts[1]
jasonsaaymanCompromised legitimate axios maintainer account — email changed to ifstap@proton.me
nrwiseAttacker-created account — nrwise@proton.me — published plain-crypto-js
References

[1] https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan