Axios npm Hijacked: 100 Million Weekly Downloads Turned Into a RAT Dropper

Axios npm Hijacked: 100 Million Weekly Downloads Turned Into a RAT Dropper

1

What Happened

On March 31, 2026, a threat actor hijacked the npm account of the lead Axios maintainer and published two malicious versions of one of the most widely used JavaScript libraries — Axios, with roughly 100 million weekly downloads.

The attacker had direct publishing access to the official axios package on npm, likely by compromising maintainer @jasonsaayman, whose repository permissions were higher than those of other collaborators, complicating rapid remediation. The attacker did not modify any Axios source files directly. Instead, they added a pre-staged malicious dependency, plain-crypto-js@4.2.1, to the package.json of the new axios releases.

Attack Timeline

The attack was carefully staged over approximately 18 hours:

  • March 30 – 05:57 UTC: Clean plain-crypto-js@4.2.0 published to establish credibility.
  • March 30 – 23:59 UTC: Malicious plain-crypto-js@4.2.1 released, introducing the RAT dropper.
  • March 31 – 00:21 UTC: axios@1.14.1 published via the compromised account.
  • March 31 – 01:00 UTC: axios@0.30.4 followed, targeting legacy users.
  • ~03:15 UTC: Both malicious Axios versions removed from npm.
  • 03:25 UTC: npm placed a security hold on plain-crypto-js.
  • 04:26 UTC: A security placeholder package replaced the malicious dependency.

Technical Mechanics

When a developer runs npm install axios@1.14.1 (or 0.30.4), npm resolves the dependency tree and installs plain-crypto-js@4.2.1 automatically. npm then executes plain-crypto-js‘s postinstall script, launching the dropper setup.js. The dropper contacts a live C2 server, delivers separate second-stage payloads for macOS, Windows, and Linux, then erases itself and replaces its own package.json with a clean decoy — leaving a developer who inspects their node_modules folder after the fact with no indication anything went wrong.

The malware deployed different payloads per OS:

  • macOS: AppleScript to download and execute a binary in /Library/Caches, disguised as a legitimate system process.
  • Windows: VBScript and PowerShell to download and execute a RAT, with persistence disguised as system binaries.
  • Linux: A Python script (/tmp/ld.py) executed in the background via nohup.

StepSecurity confirmed the malware’s operation via runtime analysis — a connection to the C2 domain was detected just 1.1 seconds after running npm install.

Account Compromise Vector

The threat actor compromised the npm account of jasonsaayman and changed its registered email address to a ProtonMail address under their control (ifstap@proton.me). It is believed the attacker obtained a long-lived classic npm access token for the account to take control and directly publish poisoned versions.

The red flag that expert defenders spotted immediately: legitimate Axios releases always include OIDC provenance metadata and SLSA build attestations linking the npm package back to a specific GitHub Actions run. The malicious versions had none of this — they were published directly, leaving no verifiable build trail.

Blast Radius

Although the malicious versions were removed within a few hours, Axios’s widespread usage — present in roughly 80% of cloud and code environments — enabled rapid exposure, with observed execution in 3% of affected environments.

Two additional packages were identified distributing the same malware: @shadanai/openclaw and @qqbrowser/openclaw-qbot@0.0.130, which ships a tampered axios@1.14.1 in its node_modules/ folder with plain-crypto-js injected as a dependency.

Threat Actor Assessment

The extensive system reconnaissance, file enumeration, and process monitoring indicate intelligence gathering, credential harvesting, source code theft, and preparation for lateral movement. The absence of cryptocurrency mining or ransomware components indicates this is not financially motivated cybercrime, but rather espionage or APT activity.

C2 Infrastructure: sfrclak[.]com / 142.11.206.73

Immediate Remediation

Anyone who installed axios@1.14.1 or axios@0.30.4 should assume their system is compromised. StepSecurity recommends downgrading to axios@1.14.0 or axios@0.30.3, removing the node_modules/plain-crypto-js directory, and reinstalling with npm install --ignore-scripts. All credentials on affected systems — npm tokens, cloud keys, SSH keys, and CI/CD secrets — must be rotated.

Detection check: Search lockfiles and node_modules for plain-crypto-js — its presence confirms the dropper executed.

CVE/GHSA tracking: GHSA-fw8c-xr5c-95f9 and MAL-2026-2306

Tags:

1 Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.