Axios npm Supply Chain Attack Deploys Cross-Platform RAT via Malicious Dependency
Summary
Attackers compromised the npm account of Axios maintainer 'jasonsaayman' and published malicious versions [email protected] and [email protected] on March 31, 2026, containing a hidden dependency that deploys a cross-platform Remote Access Trojan targeting macOS, Windows, and Linux. The attack affected one of npm's most downloaded packages with over 100 million weekly downloads. npm removed the malicious packages approximately 3 hours after publication.
Threat Analysis
On March 31, 2026, a sophisticated supply chain attack targeted the Axios npm package, one of the most widely used HTTP client libraries with over 100 million weekly downloads. Attackers compromised the npm account of lead maintainer 'jasonsaayman' and published two malicious versions: [email protected] and [email protected].
Attack Mechanism: The malicious versions introduced a hidden dependency '[email protected]' containing a postinstall hook that executed obfuscated code. The payload used two-layer encoding (reversed Base64 + XOR cipher with key 'OrDeR_7077') to evade detection. Upon installation, it contacted C2 server sfrclak[.]com:8000 and deployed platform-specific RATs.
Affected Platforms: macOS (Mach-O binary disguised as Apple cache daemon), Windows (PowerShell-based payload), Linux (Python-based RAT). All variants supported system fingerprinting, arbitrary command execution, and filesystem enumeration.
Timeline: Malicious packages published 00:21-01:00 UTC March 31; npm removed them ~03:15 UTC.
Recommended Mitigations: Immediately check for [email protected], [email protected], or [email protected] in package.json and lock files. Downgrade to [email protected] or [email protected]. Check for RAT artifacts: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux). If artifacts found, assume full compromise and rotate all credentials. Block C2 domain sfrclak[.]com.