StepSecurity recently uncovered two malicious versions of the popular HTTP client library, Axios, distributed through npm. The compromised versions, `[email protected]` and `[email protected]`, were published on March 31, 2026, using the hacked credentials of a primary maintainer. The attacker altered the maintainer’s email to a ProtonMail address and bypassed standard publishing controls.
Attack Overview
The malicious packages included a hidden dependency, `plain-crypto-js`, that is not found in any legitimate Axios release. This dependency executes a postinstall script, functioning as a remote access trojan (RAT) dropper across major operating systems: macOS, Windows, and Linux.
Operational Mechanics
The attack was meticulously staged, with the dependency seeded approximately 18 hours before the malicious Axios versions were published. Here’s a timeline of critical events:
- March 30, 2026
- 05:57 UTC — `[email protected]` published as a decoy.
- 23:59 UTC — `[email protected]` introduced with the postinstall hook.
- March 31, 2026
- 00:21 UTC — First malicious version of Axios released.
- 01:00 UTC — Second version released with similar malicious injection.
- 03:15 UTC — Both malicious versions unpublished from npm.
Impact of the Attack
Both malicious Axios versions were capable of executing a hidden payload that contacted a command-and-control (C2) server upon installation. The attacker strategically designed the dropper to erase itself after execution, leaving little trace for developers inspecting their systems.
Indicators of Compromise
If developers have installed either malicious version, they should consider their systems compromised. Important indicators include:
- Malicious Packages:
- Hidden Dependency: `plain-crypto-js`
- C2 Domain: sfrclak.com
Recommendations for Affected Users
Developers should take immediate action to secure their environments:
- Downgrade to a clean Axios version:
- `npm install [email protected]` for 1.x users.
- `npm install [email protected]` for 0.x users.
- Remove `plain-crypto-js` from node_modules.
- Rotate all credentials on compromised systems.
- Monitor CI/CD logs for any installations of the malicious versions.
Future Prevention
To block similar malicious activities, users and organizations are advised to:
- Implement security measures in CI/CD workflows.
- Utilize tools like StepSecurity Harden-Runner to monitor package integrity.
- Review and audit all current npm packages regularly.
As the ecosystem continually evolves, maintaining vigilance against supply chain attacks is crucial for developers relying on npm packages like Axios. For ongoing updates, users are encouraged to stay connected through El-Balad for timely information and guidance on securing development environments.
