Skip to content
.ca
sign in
6 mincritical

Supply Chain Attack on Axios Pulls Malicious Dependency from npm

A critical supply chain attack compromised the widely used Axios npm package, publishing malicious versions that introduced a trojanized dependency. This dependency executes a multi-stage remote access trojan (RAT) across Windows, macOS, and Linux systems, utilizing obfuscation and anti-forensics to evade detection and establish persistence.

Sens:ImmediateConf:highAnalyzed:2026-04-02reports

Authors: Socket

Actorsjasonsaaymannrwise@proton.me
plain-crypto-jsAxiosnpmSupply ChainRAT

Source:Socket

IOCs · 4

Key Takeaways

  • Malicious versions of the widely used Axios npm package (1.14.1 and 0.30.4) were published, pulling in a trojanized dependency named plain-crypto-js@4.2.1.
  • The malicious dependency executes a multi-stage Remote Access Trojan (RAT) via a postinstall hook, affecting Windows, macOS, and Linux environments.
  • The macOS payload is a fully functional C++ RAT capable of arbitrary command execution, binary injection, and filesystem enumeration.
  • The malware employs anti-forensics by deleting its setup scripts and replacing its package.json to hide its tracks post-installation.
  • The compromise likely occurred due to the continued use of a long-lived npm token in the Axios v1.x publishing workflow, bypassing OIDC trusted publishing.

Affected Systems

  • Node.js environments
  • Windows
  • macOS
  • Linux
  • Projects using axios ^1.14.0 or ^0.30.0

Attack Chain

The attack begins when a developer or CI/CD pipeline installs a compromised version of the Axios npm package, which transitively pulls in the malicious plain-crypto-js dependency. During installation, a postinstall script executes an obfuscated setup.js file, which detects the operating system and downloads a platform-specific payload (VBScript/PowerShell for Windows, AppleScript/Mach-O for macOS, Python for Linux) from the C2 server. The malware then executes the payload to establish a RAT connection and performs anti-forensics by deleting its setup files and modifying package.json to hide its tracks.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but outlines detailed behavioral indicators, file paths, and network IOCs suitable for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — The attack involves suspicious process creation (node spawning curl, powershell, osascript, python), file drops in temporary directories, and the renaming of system utilities (powershell.exe to wt.exe), which are highly visible to EDR solutions. Network Visibility: Medium — The C2 traffic uses HTTP POST to a non-standard port (8000) with specific fake User-Agents and POST bodies. While detectable via HTTP inspection, it attempts to blend in by mimicking npm registry URLs in the POST body. Detection Difficulty: Moderate — While the initial npm install might blend in with normal developer activity, the subsequent execution of obfuscated scripts, renaming of PowerShell, and distinctive C2 beaconing provide solid detection opportunities.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • File Creation (Sysmon 11)
  • Network Connections (Sysmon 3)
  • Web Proxy Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for instances of powershell.exe being copied or renamed to wt.exe in the %PROGRAMDATA% directory.Process Creation, File CreationDefense EvasionLow
Search for HTTP POST requests containing 'packages.npm.org/product' in the request body, especially to non-standard ports or IPs.Network Logs, Web Proxy LogsCommand and ControlLow
Identify curl commands executed by node.js or npm processes downloading files to /tmp or %TEMP% directories.Process CreationExecutionMedium
Detect network connections using the specific fake Internet Explorer 8 User-Agent string 'mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)'.Network Logs, Web Proxy LogsCommand and ControlLow

Control Gaps

  • Lack of strict egress filtering for build servers and developer endpoints
  • Over-permissive long-lived npm tokens in CI/CD pipelines

Key Behavioral Indicators

  • Renamed powershell.exe to wt.exe
  • Fake IE8 User-Agent
  • POST bodies containing 'packages.npm.org/product'
  • Node.js spawning curl, cscript, or osascript

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Check dependencies and lockfiles for axios@1.14.1, axios@0.30.4, and plain-crypto-js@4.2.1.
  • Remove compromised versions or roll back to a known safe version immediately.
  • Check feature branches and open PRs for these compromised versions.

Infrastructure Hardening

  • Revoke long-lived npm tokens and migrate to OIDC (trusted publishing) for package releases.
  • Implement strict egress filtering on build environments to prevent unauthorized C2 communication.

User Protection

  • Deploy EDR rules to detect the renaming of system utilities like PowerShell.
  • Monitor developer endpoints for suspicious child processes spawned by Node.js or npm.

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of reviewing dependency changes.
  • Train maintainers on secure release workflows and token management.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.002 - Command and Scripting Interpreter: AppleScript
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1059.006 - Command and Scripting Interpreter: Python
  • T1036.003 - Masquerading: Rename System Utilities
  • T1070.004 - Indicator Removal: File Deletion
  • T1140 - Deobfuscate/Decode Files or Information
  • T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

  • Ips:
    • 142[.]11[.]206[.]73 - C2 IP address
  • Domains:
    • sfrclak[[.]]com - C2 domain
  • Urls:
    • hxxp://sfrclak[[.]]com:8000/6202033 - C2 URL
  • File Paths:
    • %PROGRAMDATA%\\wt.exe - Renamed copy of powershell.exe (Windows)
    • %TEMP%\\6202033.vbs - VBScript launcher (Windows, self-deletes)
    • %TEMP%\\6202033.ps1 - PowerShell payload (Windows, self-deletes)
    • /Library/Caches/com.apple.act.mond - macOS payload
    • /tmp/ld.py - Python payload (Linux)
    • $TMPDIR/6202033 - Temp file (all platforms)
  • Command Lines:
    • Purpose: Windows payload execution via hidden PowerShell | Tools: powershell.exe, vbs | Stage: Execution | -w hidden -ep bypass
    • Purpose: macOS payload execution via AppleScript | Tools: osascript, nohup | Stage: Execution | nohup osascript
    • Purpose: Linux payload download | Tools: curl | Stage: Delivery | curl -o /tmp/ld.py
    • Purpose: macOS RAT ad-hoc code signing | Tools: codesign | Stage: Execution | codesign --force --deep --sign -
  • Other:
    • axios@1.14.1 - Compromised npm package
    • axios@0.30.4 - Compromised npm package
    • plain-crypto-js@4.2.1 - Malicious dependency
    • @shadanai/openclaw - Package distributing malware via vendored dependencies (v2026.3.28-2, 2026.3.28-3, 2026.3.31-1, 2026.3.31-2)
    • @qqbrowser/openclaw-qbot@0.0.130 - Package distributing malware via tampered axios dependency
    • mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) - Fake Internet Explorer 8 User-Agent string used by the macOS RAT
    • packages[.]npm[.]org/product0 - HTTP POST body used for macOS payload retrieval
    • packages[.]npm[.]org/product1 - HTTP POST body used for Windows payload retrieval
    • packages[.]npm[.]org/product2 - HTTP POST body used for Linux payload retrieval

Related