惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MyScale Blog
MyScale Blog
月光博客
月光博客
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
The GitHub Blog
The GitHub Blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
F
Full Disclosure
U
Unit 42
Jina AI
Jina AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
腾讯CDC
T
Threatpost
H
Hacker News: Front Page
P
Palo Alto Networks Blog
博客园 - 聂微东
Last Week in AI
Last Week in AI
有赞技术团队
有赞技术团队
Help Net Security
Help Net Security
L
LINUX DO - 热门话题
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy

Truesec

Russian Intelligence Targets SOHO Routers - Truesec Cyber Warfare in the Iran War - Truesec Organized Cybercrime Merging with Other Crime - Truesec AI Used in Ransomware Attack The Fortibleed Campaign: Truesec's Experience Fortibleed: Truesec's Experience Supply Chain Attack Compromising Arch Linux AUR Packages with Infostealer and Rootkit - Truesec FortiNet SSO Vulnerability CVE-2025-59718 and CVE-2025-59719 Leading to Full System Compromise - Truesec Critical Vulnerabilities in Ivanti Sentry Allows Code Execution as Root (CVE-2026-10520 & CVE-2026-10523) Typosquatting: When Your Domain Is Used Against You AI in Cybersecurity: Separating Operational Reality from Speculation Compromised @redhat-Cloud-Services Npm Packages Distribute Credential-Stealing Worm GitHub Hacks Highlights Need for Repository Security Installation of a Syslog Log Collector Critical Cisco Secure Workload Vulnerability Allows Unauthenticated Site Admin Access (CVE-2026-20223) Securing IT, OT, and IoT When the Digital Meets the Physical Russia Rolls Out Surveillance Through State-Backed “Super App” MAX Device Code Phishing via Fake File-Sharing Invitation Active Exploitation of PAN‑OS Authentication Portal RCE - Truesec Windows Client Security Baselines: When Assumptions Meet Incident Response Reality - Truesec Entra ID Password Protection: From “P@ssw0rd” to Protected GitHub Under Attack: How Small Exposures Snowball into Large‑Scale Compromises European Risks Linked to the U.S. – Iran Conflict Mythos: What It Actually Means and What It Does Not Russian Espionage Campaign Targets Home Routers How Nordic Organizations Must Adjust Their Cybersecurity to a Changing Operating Environment Critical Vulnerability in “Ninja Forms – File Upload” WordPress Plugin (CVE-2026-07409) Iranian APT Target US Critical Infrastructure Remote Access – Is VPN the Almighty Solution? RCE Vulnerability in F5 BIG-IP APM (CVE-2025-53521) No Further Increase in Iranian Cyber Operations Malicious PyPI Package – LiteLLM Supply Chain Compromise Dutch Intelligence Warns of Russian Campaign Against Signal and Whatsapp Users Multiple Vulnerabilities, One Critical, in Ubiquiti UniFi Network Application
Malicious Axios Packages Published to npm in New Supply Chain Compromise
2026-03-31 · via Truesec

Threat Insight

StepSecurity has identified a supply‑chain compromise affecting the widely used JavaScript HTTP client axios, where malicious versions were published to npm using compromised maintainer credentials. The affected packages deploy a cross‑platform Remote Access Trojan (RAT) during installation, potentially leading to full system compromise on developer workstations, CI/CD runners, and build environments[1].

The malicious axios versions do not contain malicious code within the axios source itself. Instead, they introduce a fake dependency, plain-crypto-js@4.2.1, which is never imported by axios. Its sole purpose is to execute a postinstall script during dependency installation, using postinstall as a dropper for the RAT[1].

The dropper contacts a live command‑and‑control (C2) server, retrieves an OS‑specific second‑stage payload, executes it, and then self‑deletes, replacing its own package.json with a clean decoy to hinder forensic detection[1].

The attack was highly coordinated, with the malicious dependency staged in advance, multiple payloads prepared, and both axios release branches compromised within a short time window.

Note that the packages has now been unpublished by npm and if you are attempting to install any version of plain-crypto-js now returns the security notice[1].

Affected Products

axios@1.14.1
axios@0.30.4

Recommended Actions

  • Uninstall compromise packages or pin to known-good versions: axios@1.14.0 (1.x branch) or axios@0.30.3 (0.x branch). until patched releases are verified.
  • Truesec recommends that you disable “postinstall” to reduce the risks of being exploited by a malware similar to this one.
  • Audit environments (CI/CD agents, developer laptops) that installed the affected versions for unauthorized publishes or credential theft.
  • Rotate npm tokens and other exposed secrets if these packages were present on machines with publishing credentials.
  • Monitor logs for unusual npm publish or package modification events.

If you require assistance in implementing these principles and best practices or tailoring them to your specific environment, please do not hesitate to contact Truesec for expert support.

For further reading on the subject, see your blog post Npm Supply-Chain Attacks: How to Reduce Risk

Detection

Truesec is currently conducting threat hunting for all MDR customers, specifically for domains, URLs, IPs and file hashes.

Compromised Packages[1]
axios@1.14.1shasum: 2553649f2322049666871cea80a5d0d6adc700ca
axios@0.30.4shasum: d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
plain-crypto-js@4.2.1shasum: 07d889e2dadce6f3910dcbc253317d28ca61c766

Network Indicators[1]
C2 domainsfrclak[.]com
C2 IP 142.11.206[.]73
C2 URL http://sfrclak[.]com:8000/6202033
C2 POST body — macOSpackages.npm.org/product0
C2 POST body — Windowspackages.npm.org/product1
C2 POST body — Linuxpackages.npm.org/product2

File System Indicators[1]
macOS/Library/Caches/com.apple.act.mond
Windows (persistent)%PROGRAMDATA%\wt.exe
Windows (temp, self-deletes)%TEMP%\6202033.vbs
Windows (temp, self-deletes)%TEMP%\6202033.ps1
Linux/tmp/ld.py

Attacker-Controlled Accounts[1]
jasonsaaymanCompromised legitimate axios maintainer account — email changed to ifstap@proton.me
nrwiseAttacker-created account — nrwise@proton.me — published plain-crypto-js
References

[1] https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan