惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
V2EX - 技术
V2EX - 技术
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
美团技术团队
WordPress大学
WordPress大学
博客园 - 司徒正美
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - Franky
Attack and Defense Labs
Attack and Defense Labs
Security Latest
Security Latest
L
LINUX DO - 最新话题
NISL@THU
NISL@THU
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
腾讯CDC
Y
Y Combinator Blog
The Hacker News
The Hacker News
Security Archives - TechRepublic
Security Archives - TechRepublic
IT之家
IT之家
T
Threatpost
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
S
SegmentFault 最新的问题
Cyberwarzone
Cyberwarzone
C
Cisco Blogs
阮一峰的网络日志
阮一峰的网络日志
U
Unit 42
B
Blog
Microsoft Azure Blog
Microsoft Azure Blog
P
Proofpoint News Feed
小众软件
小众软件
V
Vulnerabilities – Threatpost
J
Java Code Geeks
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
A
Arctic Wolf
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
S
Security @ Cisco Blogs
雷峰网
雷峰网
Help Net Security
Help Net Security
The Last Watchdog
The Last Watchdog
Recent Announcements
Recent Announcements
G
Google Developers Blog
C
CERT Recently Published Vulnerability Notes
T
Troy Hunt's Blog
MyScale Blog
MyScale Blog

Orca Security

Langflow RCE Actively Exploited to Deploy Cryptominers on AI Infrastructure Orca MCP: When Text Stops Scaling Kubernetes Compliance Tools: Automating CIS Benchmarks Risk-Based Vulnerability Management for the Cloud: A 2026 Guide Private Cloud Security: Top Risks and Best Practices (2026) What Is Generative AI in Cybersecurity? Best Vulnerability Management Tools and Software in 2026 2026 State of Application Security Report Recap: What the Data Says and What Security Teams Should Do About It AI Security for Sensitive Data: Best Practices and Guidelines Best AI Code Security Solutions 2026: How to Secure AI-Generated Code From Platform to Program: How to Ensure Your Cloud Security Solution Delivers Best AI Cybersecurity Providers 2026: A Buyer's Guide to AI-Powered Security Platforms Join Orca Security at Black Hat USA 2026 CNAPP Tools That Reduce Security Tool Sprawl: CNAPP vs. Dedicated Solutions What Is Container Runtime Security? A Practical Guide 2026 What Is Application Security Testing? Tools and Types What Is Managed Cloud Security? A Practical Guide What Is SaaS Security Posture Management? SSPM Guide Top 10 Cloud Security Standards for Compliance What is the MIT License? Compliance and Comparisons AI Agents vs. Agentless Security vs. Agent-based Security 144 Mastra npm Packages Compromised via Supply Chain Attack The Complete Guide to LLM Security: Risks, Best Practices, and Solutions Cloud Security LIVE 2026: Top 10 Takeaways Practitioners Can Use Now Cloud Security LIVE 2026: Top 10 Takeaways CISOs Can Use Now (and What to Do Next) How Orca Traced an nginx Flaw to 1.45 Million Tengine Servers All Running Vulnerable Code What to Look for in Container Security Tools Cloud Application Security Best Practices for DevSecOps Cloud Security Tools: 10 Types Explained for Teams What Is NIST CSF? Framework 2.0 Explained 7 Open Source Incident Response Tools by Category Critical Langflow Path Traversal Flaw Exploited for Unauthenticated RCE Critical PhpSpreadsheet RCE Patch Bypass Puts Millions at Risk Critical Splunk Enterprise Vulnerabilities Allow Unauthenticated File Operations and Remote Code Execution 16 Best Open Source Application Security Tools 2026 What Is Containerization? Security and Best Practices 8 Container Security Best Practices for 2026 Close the Cloud Identity Gap with Orca and AWS IAM Access Analyzer The 5-Step Context-Aware Cloud Vulnerability Prioritization Framework Critical Jupyter Enterprise Gateway Vulnerabilities Enable Full Kubernetes Cluster Takeover AI Security Best Practices for Regulated Industries Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks SAST vs SCA: Key Differences for AppSec Teams What Is Cloud Security Architecture? Principles, Layers, and Frameworks What Is ASPM? A Guide to Application Security Posture Management What Is SaaS Security? A Practical Guide 2026 What Is a Man-in-the-Middle Attack? A Cloud Security Guide What Is Open Policy Agent? Best Practices and Use Cases 11 Best Open-Source DevSecOps Tools for 2026 How to Secure AI Workloads in Multi-Cloud Environments: A Complete Framework Critical WordPress Plugin Vulnerability Allows Unauthenticated Admin Takeover on 150K Sites What Is Kubernetes as a Service? KaaS Explained Critical Netlogon RCE Flaw Actively Exploited Against Windows Domain Controllers Your FedRAMP Continuous Monitoring Strategy Has a Gap. We Built Something to Fix It. How to Simplify Multi-Cloud Compliance Reporting: The 2026 Checklist Red Hat npm Packages Compromised in Supply-Chain Attack Spreading Credential-Stealing Worm Critical RCE in LiquidJS Lets Attackers Execute Arbitrary Commands on Unpatched Hosts Securing Shadow AI: How to Detect Unapproved LLMs in Your Cloud Data Security Posture Management (DSPM) for AI Gitea Container Registry Exposes Private Images to Unauthenticated Attackers Critical Unauthenticated RCE in Kopia Backup via SSH ProxyCommand Injection Best Palo Alto Networks Cortex (Prisma Cloud) Alternatives in 2026 7 Enterprise AI Security Risks to Manage Critical Pre-Auth RCE in ChromaDB Threatens AI Infrastructure Critical Coder Signature Bypass Exposes Developer Keys and Tokens New “PoolSlip” NGINX Exploit Revives Unpatched Remote Code Execution Risk Critical Drupal SQL Injection Exposes PostgreSQL-Backed Sites to Remote Code Execution AI Security Tools: How to Evaluate Them Across Every ML Attack Phase Massive npm Supply Chain Attack Compromises AntV Ecosystem, Steals CI/CD Secrets at Scale NIST AI Risk Management Framework (AI RMF) Explained: What It Is and How Organizations Use It The AI Data You Forgot to Lock: How Exposed Vector Databases Put Organizations at Risk GenAI Risks in Cloud Environments: What Security Teams Are Actually Missing in 2026 What Is Multi-Cloud Security? What Is Cloud Detection and Response (CDR)? Linux kernel vulnerability enables local theft of SSH host keys and /etc/shadow 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated DoS and Potential RCE Announcing Cloud Security Agent Skills for Orca’s MCP Server TanStack and 160+ npm/PyPI Packages Compromised in Supply Chain Worm Attack Dirty Frag: Linux Kernel Vulnerability Chain Enables Local Privilege Escalation to Root Critical Apache HTTP Server HTTP/2 Vulnerability Could Enable Remote Code Execution Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace What Is an Incident Response Plan? What Is Cloud Data Security? Risks, Challenges, and 12 Best Practices Remote Code Execution in GitHub Enterprise Server via Git Push Injection (CVE-2026-3854) Linux Kernel Bug (Copy.Fail) Enables Local Privilege Escalation to Root (CVE-2026-31431) Xinference PyPI package compromise leads to full environment takeover What is Application Security? When AI Accelerates the Offense, Coverage Gaps Become Catastrophic Orca Security Recognized in the 2026 TAG Enterprise AI Security Handbook Navigating Cloud Security in 2026: Join Cloud Security LIVE Anthropic’s Project Glasswing Is a Positive Step Toward Cleaner, Safer Production Kyverno SSRF: Breaking Kubernetes Namespace Isolation (CVE-2026-4789) Streamline Compliance Reporting with Orca and Drata’s Integrated Vulnerability Management CVE-2026-23226: How a Missing Lock in ksmbd’s Channel List Exposes Your Linux SMB3 Server 2026 State of AppSec: When Development Velocity Outpaces Security AI Is Entering Your Infrastructure. Now what? Orca Security Featured in SACR’s 2026 Unified Agentic Defense Platforms Report Credential‑Stealing Malware in LiteLLM Supply Chain Attack Mission Accomplished: Orchestrate Your Remediation Strategy With Orca Missions The Orca Approach to Runtime AI Security
Supply Chain Attack on Axios Delivers Cross-Platform RAT via Compromised npm Account
2026-03-31 · via Orca Security

On March 31, 2026, attackers compromised the primary maintainer account of the axios npm package and published two malicious versions that silently installed a cross-platform Remote Access Trojan (RAT) on macOS, Windows, and Linux systems. Axios is one of the most widely used JavaScript libraries, with roughly 100 million weekly downloads and over 174,000 dependent packages. The poisoned versions were live for under three hours, but any project that ran npm install during that window was silently backdoored. This is not a vulnerability in the axios codebase itself, so a traditional CVE is unlikely to be assigned. Tracking is through npm security advisories and GitHub Security Advisories (GHSA).

Quick Overview

AttributeDetails
CVEN/A (supply chain compromise, not a code vulnerability; tracked via npm/GHSA advisories)
SeverityCritical (supply chain RCE with no user interaction)
TypeSupply chain compromise (maintainer account takeover)
CWECWE-506 (Embedded Malicious Code)
Affected Packagesaxios, plain-crypto-js, @shadanai/openclaw, @qqbrowser/openclaw-qbot
Compromised Versionsaxios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1
Safe Versionsaxios@1.14.0 (1.x), axios@0.30.3 (0.x)
Attack VectorNetwork (npm install triggers payload automatically)
Authentication RequiredNone
User InteractionNone (postinstall hook runs automatically)
Active ExploitationYes, confirmed
CISA KEVNo
Fix AvailableYes, revert to axios@1.14.0 or axios@0.30.3

What is Axios?

Axios is a promise-based HTTP client for JavaScript that works in both Node.js and the browser. If you’ve written JavaScript in the last decade, you’ve almost certainly used it or depended on something that does. It sits in the dependency tree of over 174,000 npm packages, which makes it one of those foundational libraries where a compromise doesn’t just affect direct users. It cascades downstream into countless applications, CI/CD pipelines, and production environments.

Timestamp (UTC)Details
Mar 30, 05:57plain-crypto-js@4.2.0 published by npm user nrwise (nrwise@proton.me), a clean copy of crypto-js staged to build publishing history
Mar 30, 23:59plain-crypto-js@4.2.1 published by the same account with malicious postinstall hook and obfuscated dropper added
Mar 31, 00:05Socket’s automated detection flags plain-crypto-js@4.2.1 within 6 minutes of publication
Mar 31, 00:21axios@1.14.1 published by the compromised jasonsaayman npm account (email changed to ifstap@proton.me)
Mar 31, 01:00axios@0.30.4 published by the same compromised account, targeting the legacy 0.x branch
Mar 31, ~03:15npm unpublishes both malicious axios versions; latest dist-tag reverts to 1.14.0
Mar 31, 04:26npm publishes security-holder stub plain-crypto-js@0.0.1-security.0, formally neutralizing the malicious package

Socket co-founder Feross Aboukhadijeh issued the first public alert on X/Twitter. StepSecurity researcher Ashish Kurmi opened GitHub Issue #10604 to coordinate community response and submitted a vulnerability report, though a traditional CVE is unlikely since this is a supply chain compromise rather than a code vulnerability.

Technical Analysis

How the account was compromised

The attack started with a takeover of the jasonsaayman npm account, the primary maintainer of axios. The attacker changed the account’s registered email to a ProtonMail address they controlled (ifstap@proton.me) and used the npm CLI to publish the poisoned packages directly.

This is significant because legitimate axios releases use npm’s Trusted Publishing mechanism (a system where packages are published through GitHub Actions with cryptographic OIDC tokens that tie each release to a specific CI workflow, making it impossible to publish without a corresponding code change). The malicious versions were published manually, completely bypassing this. The likely entry point was a long-lived classic npm access token, which can sidestep 2FA requirements entirely, unlike the ephemeral OIDC tokens used by Trusted Publishing.

The forensic signal is clear: the legitimate axios@1.14.0 shows GitHub Actions as the publisher with a trustedPublisher OIDC attestation, while axios@1.14.1 shows jasonsaayman as the publisher with a ProtonMail address and no provenance data at all. No corresponding commit, tag, or release exists in the axios GitHub repository.

The phantom dependency trick

The attacker didn’t modify any of axios’ JavaScript source files. The only change was in package.json: a new runtime dependency on plain-crypto-js@^4.2.1 was added, and the version number was bumped. A search of all 86 files in axios@1.14.1 confirms that plain-crypto-js is never imported or required anywhere in the codebase. It exists purely as a “phantom dependency” whose postinstall hook (a script that npm automatically runs after installing a package) triggers the malicious payload.

The attacker pre-staged this carefully. Roughly 18 hours before the axios compromise, a clean version of plain-crypto-js@4.2.0 was published by the npm user nrwise (nrwise@proton.me). This version was an exact copy of the legitimate crypto-js library with no malicious code, designed to build publishing history and dodge detection heuristics that flag brand-new packages. The malicious 4.2.1 followed a day later, adding an obfuscated dropper script (setup.js) and a postinstall hook to execute it.

Inside the dropper

The setup.js dropper (4,209 bytes) uses a two-layer encoding scheme to hide its intent. All sensitive strings are stored in an encoded array and decoded through two chained functions. The inner function applies an XOR cipher (a reversible bitwise operation commonly used in simple obfuscation) with the key “OrDeR_7077“. Because JavaScript’s Number() coerces alphabetic characters to NaN (which becomes 0 in bitwise operations), the effective key reduces to the byte sequence [0,0,0,0,0,0,7,0,7,7]. Each character is decoded as charCode XOR key[(7 * r * r) % 10] XOR 333. The outer function reverses the string, swaps underscores for equals signs, base64-decodes, and then feeds the result through the XOR layer.

Once decoded, the dropper reveals its operational structure: it imports child_process, os, and fs, identifies the host platform, and reaches out to the C2 (Command and Control, the attacker-operated server that issues instructions) server at http://sfrclak.com:8000/6202033 to fetch a platform-specific RAT payload.

Platform-specific payloads

The attack deployed three distinct payloads depending on the operating system:

macOS: The dropper writes an AppleScript file to the system’s temp directory and runs it silently via osascript. The script contacts the C2 server, downloads a compiled C++ RAT binary, and saves it to /Library/Caches/com.apple.act.mond, a path deliberately chosen to mimic Apple’s reverse-DNS naming convention for system daemons. The binary is made executable with chmod 770 and launched via /bin/zsh. According to StepSecurity’s analysis, the RAT beacons to the C2 server every 60 seconds, supports shell command execution, filesystem enumeration, and self-termination.

Windows: The dropper locates the PowerShell binary, copies it to %PROGRAMDATA%\wt.exe (disguised as Windows Terminal), writes a VBScript to the temp directory, and executes it via cscript. The VBScript launches a hidden cmd.exe that downloads a PowerShell-based RAT script from the C2, saves it to %TEMP%\6202033.ps1, and runs it with -ExecutionPolicy Bypass -WindowStyle Hidden.

Linux: A shell command downloads a Python RAT script to /tmp/ld.py and executes it detached via nohup python3. StepSecurity’s runtime analysis confirmed the Python process is deliberately orphaned to PID 1 (meaning its parent process ID is set to the init system), which helps it evade process-tree attribution and persist beyond the npm install session.

All three payloads use POST bodies formatted as packages.npm.org/product0, product1, or product2 when communicating with the C2 server. This formatting is deliberate camouflage designed to make outbound traffic look like legitimate npm registry communication in network monitoring tools.

Anti-forensic evidence destruction

After launching the payload, the dropper cleans up after itself in three steps: it deletes setup.js, deletes the malicious package.json (which contains the incriminating postinstall hook), and then renames a pre-staged clean manifest file (package.md) to package.json. The result is that anyone inspecting node_modules/plain-crypto-js/ after infection would find a perfectly clean package.json with no scripts section and no trace of the dropper. npm audit will detect nothing. StepSecurity’s Harden-Runner captured this swap happening: the malicious manifest was written, and the clean replacement appeared 36 seconds later.

Attack Flow

  1. Attacker compromises the jasonsaayman npm account (likely via a stolen long-lived access token)
  2. Attacker pre-stages plain-crypto-js@4.2.0 (clean) then 4.2.1 (malicious) under a throwaway npm account
  3. Attacker publishes axios@1.14.1 and axios@0.30.4 with plain-crypto-js injected as a dependency
  4. Any npm install automatically resolves the new axios version (via caret ranges) and runs plain-crypto-js‘s postinstall hook
  5. The postinstall hook executes setup.js, which decodes and runs the platform-specific dropper
  6. The dropper contacts the C2 server, downloads a RAT, and installs persistent access within 1.1 seconds of npm install completing
  7. The dropper destroys all evidence of itself, leaving a clean package.json in its place

Affected Versions

PackageCompromised VersionSafe VersionNotes
axios1.14.11.14.01.x branch, published via compromised maintainer account
axios0.30.00.30.0Legacy 0.x branch, same attack
plain-crypto-js4.2.1N/AMalicious dependency, now under npm security hold
@shadanai/openclaw2026.3.28-2 through 2026.3.31-2N/AAdditional distribution vector identified by Socket
@qqbrowser/openclaw-qbot0.0.130N/AShips vendored malicious axios in node_modules/

All compromised versions have been unpublished from npm. The latest dist-tag for axios currently points to 1.14.0.

Threat Status

Exploitation Activity: Confirmed active. The malicious versions were live on npm for approximately 2-3 hours. StepSecurity confirmed via Harden-Runner that the first C2 connection fires 1.1 seconds after npm install completes. The compromise was independently detected in CI runs for the backstage repository, one of the most widely used developer portal frameworks, confirming real-world execution in production pipelines.

PoC Availability: The malicious code itself was captured and analyzed by Socket, StepSecurity, and SafeDep before npm removed the packages. Detailed technical teardowns are publicly available. The C2 server domain (sfrclak.com) was still resolving at the time of initial reporting.

Attribution: No formal attribution to any known threat group has been published. Socket explicitly stated they found no evidence linking this to the recently reported TeamPCP campaigns. The security community has noted the absence of cryptocurrency miners or ransomware in the payload, pointing instead to persistent C2 beaconing, system reconnaissance, and targeting of .ssh and .aws directories. This behavior pattern is more consistent with an APT (Advanced Persistent Threat) actor focused on intelligence gathering than financially motivated crime. However, this remains speculative.

Why This Matters

The immediate blast radius is enormous. Any project using a caret range dependency on axios (npm’s default version syntax, where ^1.14.0 means “accept any compatible version up to the next major release”) that ran npm install during the roughly three-hour window would have automatically pulled the compromised version. Given axios’ 100 million weekly downloads and 174,000+ dependents, even a short exposure window translates to significant potential impact. CI/CD pipelines running on schedule, developers starting their morning, automated deployments, anything that touched npm install during those hours is potentially compromised.

What makes this attack particularly concerning for the broader ecosystem is that axios had already adopted npm’s Trusted Publishing mechanism. In theory, this should prevent exactly this kind of attack by tying releases to verifiable CI workflows. But the maintainer’s account also retained a classic long-lived npm token, and the attacker used that token to bypass every provenance control. This is a structural lesson: Trusted Publishing only works if it’s the sole publishing path. As long as legacy tokens coexist with modern provenance systems, they represent a backdoor around those protections.

Diagram comparing a legitimate npm release with OIDC provenance against an attacker release using compromised tokens to bypass security checks.

The operational sophistication here is also worth noting. This wasn’t a smash-and-grab. The attacker staged a clean decoy package 18 hours in advance, hit both the current and legacy release branches within 39 minutes of each other, built platform-specific RAT payloads for all three major operating systems, disguised C2 traffic as npm registry calls, and destroyed all forensic evidence within 36 seconds of execution. That level of planning and execution suggests a well-resourced and experienced adversary.

Primary Action

Pin axios to a known-safe version immediately: npm install axios@1.14.0 (for the 1.x branch) or npm install axios@0.30.3 (for the legacy 0.x branch).

Version-Specific Instructions

ScenarioAction
Using axios 1.x with caret rangeRun npm install axios@1.14.0 and verify package-lock.json shows 1.14.0
Using axios 0.x with caret rangeRun npm install axios@0.30.3 and verify lockfile
CI/CD pipelinesAudit workflow run logs during the exposure window (approx. 00:21-03:15 UTC, March 31). Rotate all injected secrets for any affected runs
Confirmed compromise (RAT artifacts found)Do not attempt to clean in place. Rebuild the system from a known-good state

Interim Mitigations

If you cannot immediately verify and rebuild affected systems:

  1. Block C2 traffic by adding sfrclak.com and 142.11.206.73 to firewall blocklists and DNS sinkholes
  2. Run npm install --ignore-scripts as a standing policy in CI/CD environments to prevent postinstall hooks from executing automatically
  3. Rotate all credentials accessible from potentially affected systems: npm tokens, AWS keys, SSH private keys, CI/CD secrets, database passwords, and .env file contents

Post-Compromise Considerations

If you find any of the RAT artifacts listed below, or if your lockfile confirms installation of axios@1.14.1 or axios@0.30.4, treat the system as fully compromised:

  1. Rebuild from a known-good image or backup
  2. Rotate every secret and credential that was accessible on the system
  3. Review authentication logs for unauthorized access originating from the compromised host
  4. Check for lateral movement, particularly in cloud environments where IAM credentials or SSH keys may have been exfiltrated

Detection Guidance

Package hashes (for detection and verification)

PackageSHA256
axios@1.14.15bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd
axios@0.30.459336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f
plain-crypto-js@4.2.1setup.js: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09

Host-level indicators

PlatformPathDescription
macOS/Library/Caches/com.apple.act.mondC++ RAT binary (persistent)
Windows%PROGRAMDATA%\wt.exeCopied PowerShell binary disguised as Windows Terminal
Windows%TEMP%\6202033.ps1PowerShell RAT script (may self-delete)
Windows%TEMP%\6202033.vbsVBScript dropper (may self-delete)
Linux/tmp/ld.pyPython RAT script
All platformsnode_modules/plain-crypto-js/Presence of this directory indicates the dropper ran

Detection Commands

Terminal commands for threat hunting, identifying compromised npm packages and Remote Access Trojan (RAT) artifacts across macOS, Linux, and Windows.

How Can Orca Help?

Orca enables customers to identify cloud workloads and container images running compromised axios versions, understand exposure context (including internet accessibility, attack path reachability, and asset criticality), and prioritize remediation based on real risk. Orca’s News Item view highlights affected assets directly, helping security teams focus on the most critical systems first.

Orca Security platform alert for the Axios npm package supply chain attack, detailing hijacked maintainer accounts and poisoned versions delivering a cross-platform RAT.