Axios npm Compromise: Maintainer Account Hijacked, RAT Deployed
On March 31, 2026, the npm account of the lead Axios maintainer was hijacked. Two malicious versions were published that deploy a cross-platform remote access trojan. Axios has roughly 100 million weekly downloads.
What Happened
A clean decoy package, plain-crypto-js@4.2.0, published to npm by a new account (nrwise@proton.me). This established registry history for the package name.
Malicious version plain-crypto-js@4.2.1 published, containing a postinstall hook that acts as a cross-platform RAT dropper.
axios@1.14.1 published to npm using the compromised jasonsaayman maintainer account. The only change: plain-crypto-js@4.2.1 added as a dependency.
axios@0.30.4 published, targeting the legacy 0.x branch. Both release branches compromised within 39 minutes.
Both malicious Axios versions removed from npm. plain-crypto-js placed under security hold at 03:25 UTC.
This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for macOS, Windows, and Linux. Both the current and legacy release branches were hit within 39 minutes. The malware self-destructs after execution, replacing its own package.json with a clean decoy. Post-infection inspection of node_modules will not reveal the compromise.
How the Attack Works
The attacker compromised the npm account of the primary Axios maintainer (jasonsaayman). The account email was changed to lock out the legitimate owner.
Legitimate Axios releases are published via GitHub Actions with OIDC Trusted Publisher binding. These malicious versions were published manually with a stolen npm access token, bypassing the CI/CD pipeline entirely. Neither version has a corresponding commit, tag, or release in the Axios GitHub repository.
The only modification was adding plain-crypto-js@^4.2.1 as a dependency. This package is never imported anywhere in the Axios source. It exists solely to run a postinstall hook.
When npm installs the compromised Axios, it resolves the dependency tree, pulls plain-crypto-js@4.2.1, and automatically runs its postinstall script (setup.js). That script contacts a C2 server at sfrclak[.]com:8000 and delivers platform-specific payloads.
On macOS: a binary disguised as an Apple cache daemon at /Library/Caches/com.apple.act.mond. On Windows: a PowerShell script run via hidden VBScript with the interpreter copied to %PROGRAMDATA%\wt.exe. On Linux: a Python script at /tmp/ld.py.
After execution, the dropper deletes itself and replaces its own package.json with a clean version.
Who Is Affected
Anyone who ran npm install, pnpm install, or yarn install between approximately 00:21 and 03:15 UTC on March 31, 2026 and pulled axios@1.14.1 or axios@0.30.4. Projects using caret ranges (^1.14.0 or ^0.30.0) without a lockfile, or with an unlocked dependency, would have pulled the compromised version automatically. CI/CD pipelines that ran during this window are particularly at risk.
This incident is not linked to the TeamPCP campaign. Socket has confirmed no connection between the two. The attack vector, infrastructure, and payload are distinct.
How to Check
1. Check your lockfile for compromised versions
If either version appears, the compromised package was resolved into your dependency tree.
grep -E "axios@1\.14\.1|axios@0\.30\.4|plain-crypto-js" pnpm-lock.yaml package-lock.json yarn.lock 2>/dev/nullBad result: Any match found
2. Check for the RAT artifacts on macOS
Presence of this file confirms the RAT was deployed and executed.
ls -la /Library/Caches/com.apple.act.mond 2>/dev/nullBad result: File exists
3. Check for the RAT artifacts on Linux
Presence of this file confirms the RAT was deployed and executed.
ls -la /tmp/ld.py 2>/dev/nullBad result: File exists
4. Check for the RAT artifacts on Windows
Run in PowerShell to check for the malicious interpreter copy.
Test-Path "$env:PROGRAMDATA\wt.exe"Bad result: Returns True
5. Check node_modules for the phantom dependency
Note: the malware self-destructs after execution. Absence of this directory does not mean the system is clean if the compromised version was installed during the malicious window.
ls node_modules/plain-crypto-js 2>/dev/nullBad result: Directory exists or lockfile showed it was resolved
If You Are Affected
If any RAT artifact is found, do not attempt to clean in place. Rebuild from a known-good state.
Rotate all credentials accessible on the affected system: npm tokens, AWS access keys, SSH private keys, CI/CD secrets, cloud credentials, .env values.
Audit CI/CD pipeline logs for any runs that installed the affected versions during the March 31 window. Rotate all secrets injected into those pipelines.
Downgrade to axios@1.14.0 or axios@0.30.3.
Remove plain-crypto-js from node_modules if present.
Block egress traffic to sfrclak[.]com and 142.11.206.73 at the network level.
Run npm ci --ignore-scripts as a standing policy in CI/CD.
Full Audit Prompt
We built an audit prompt that checks all your local projects for exposure to the Axios compromise. It covers lockfile scanning, RAT artifact detection across macOS, Windows, and Linux, CI/CD pipeline timeline analysis, and remediation. It is designed to be run through Claude Code or any AI coding assistant with shell access.
Plain Markdown. No login required. No tracking. Share it.
What This Means for Dependency Security
This attack bypassed the project's CI/CD pipeline entirely because the maintainer account had a long-lived npm access token alongside the OIDC trusted publishing setup. The token was the weak link. Organizations should audit whether their own published packages have long-lived tokens that could be used independently of their CI/CD pipelines. npm's provenance attestation feature can flag packages that were not published through a verified CI/CD flow.
References
Arctyra's Security by Design practice helps organizations audit supply chain exposure, harden CI/CD pipelines, and build security architecture that accounts for this class of threat.
Talk to us