GoKawiilAn attacker compromised the npm account of a lead Axios maintainer on March 30 and used it to publish two malicious versions of the widely used JavaScript HTTP client library, according to StepSecurity. The poisoned releases, [email protected] and [email protected], injected a hidden dependency that silently installed a cross-platform remote access trojan on developer machines running macOS, Windows, and Linux. Axios is downloaded roughly 100 million times per week on npm.
Both malicious versions added a single new dependency to the package manifest: [email protected], a purpose-built trojan disguised as the legitimate crypto-js library. The package was never imported or referenced anywhere in Axios source code. Its only function was to execute a postinstall script that contacted a command-and-control server at sfrclak.com, downloaded a platform-specific RAT payload, and then destroyed all evidence of its own execution.
The attack was staged across roughly 18 hours, with an attacker-controlled npm account publishing a clean decoy version of plain-crypto-js at 05:57 UTC on March 30 to establish publishing history. The malicious payload version followed at 23:59 UTC. The compromised Axios maintainer account, jasonsaayman, then published [email protected] at 00:21 UTC on March 31, followed by [email protected] at 01:00 UTC, covering both the modern 1.x and legacy 0.x release branches within 39 minutes of each other.
Article continues below
StepSecurity's runtime analysis confirmed that the dropper made its first outbound connection to the C2 server just 1.1 seconds after npm install began. On macOS, the RAT binary was written to /Library/Caches/com.apple.act.mond, mimicking an Apple system process. On Windows, the malware copied PowerShell to %PROGRAMDATA%\wt.exe and executed a hidden script. On Linux, it downloaded a Python-based RAT to /tmp/ld.py.
After execution, setup.js deleted itself, removed its own package.json containing the malicious postinstall hook, and replaced it with a pre-staged clean stub reporting a different version number. A forensic inspection of the installed package after the fact would show nothing suspicious.
The malicious versions were live for approximately two to three hours before npm unpublished them and placed a security hold on plain-crypto-js. Neither compromised version appears in Axios's GitHub repository tags, confirming they were published directly to the npm registry outside the project's normal CI/CD pipeline.
StepSecurity, Snyk, Wiz, and Vercel have all published advisories recommending that any system where the malicious package ran should be treated as fully compromised, with all credentials rotated immediately. The GitHub issue tracking the incident is axios/axios#10604.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.