
























On March 30, 2026, security researchers discovered that the widely-used NPM package Axios was compromised through an account takeover attack targeting a lead maintainer. Threat actors bypassed the project's GitHub Actions CI/CD pipeline by compromising the maintainer's NPM account and changing its associated email. The threat actor manually published two malicious versions via NPM CLI.
These poisoned releases inject a hidden dependency called [email protected], which executes a postinstall script functioning as a cross-platform Remote Access Trojan (RAT) dropper targeting macOS, Windows, and Linux systems.
During execution, the malware contacts command-and-control (C2) infrastructure at sfrclak[.]com to deliver platform-specific payloads, then deletes itself and replaces its package.json with a clean version to evade detection.
npm ci instead of npm install.The following packages are impacted by this compromise.
Package | Version |
|---|---|
Axios | 1.14.1 |
Axios | 0.30.4 |
Table 1: Axios package versions impacted by the compromise.
All NPM packages include a package.json file that declares dependencies. In the compromised version of Axios, the threat actor added a dependency for a malicious package called plain-crypto-js, which included a postinstall script that ran a setup.js script via node.
When developers or CI pipelines run npm install [email protected], NPM resolves the dependency tree, downloads [email protected], and runs the postinstall script. Running node setup.js triggers the compromise sequence.
The figure below shows the attack chain.

Figure 1: Attack chain for the compromised Axios package.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。