Malicious axios npm releases drop cross-platform RAT dependency

TL;DR — Malicious axios releases on npm added a hidden postinstall dropper dependency, so any environment that installed [email protected] or [email protected] should be treated as compromised.

What happened

axios is one of the most widely used JavaScript HTTP client libraries, commonly pulled into both browser and Node.js applications via npm.

StepSecurity reports a supply-chain compromise where two malicious npm releases ([email protected] and [email protected]) were published using compromised credentials for a lead axios maintainer account. The attacker did not add malicious code to the axios source itself; instead, the releases injected a new runtime dependency, [email protected], which exists only to run a postinstall script that acts as a cross-platform remote access trojan (RAT) dropper (Windows/macOS/Linux).

StepSecurity highlights a key forensic signal: legitimate axios 1.x releases are published via GitHub Actions using npm OIDC Trusted Publishing, but [email protected] was published manually (no OIDC trustedPublisher metadata, no gitHead, and no corresponding GitHub commit/tag). This incident is a reminder that “phantom dependencies” plus install scripts remain one of the highest-blast-radius supply-chain patterns in the npm ecosystem, especially for projects that accept semver ranges and run installs automatically in CI.

Who is impacted

• Any project, developer workstation, or CI runner that installed either compromised version:
  • [email protected] (1.x line)
  • [email protected] (0.x line)
• Environments where dependency installs execute lifecycle scripts (the plain-crypto-js payload is triggered via postinstall).

StepSecurity-provided indicators include:

• Malicious package shasums:
  • [email protected] · 2553649f232204966871cea80a5d0d6adc700ca
  • [email protected] · d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
  • [email protected] · 07d889e2dadce6f3910dcbc253317d28ca61c766
• Example network indicator observed by StepSecurity Harden-Runner: sfrclak.com:8000.
• Example host artifacts listed by StepSecurity (paths vary by OS), including /tmp/ld.py (Linux) and /Library/Caches/com.apple.act.mond (macOS).

What to do now

• Follow incident remediation guidance from the incident write-up and your internal IR runbooks. StepSecurity’s remediation section includes:

  • "If you have installed [email protected] or [email protected], assume your system is compromised."

• Triage exposure quickly:
  • Use StepSecurity’s suggested checks to locate the versions in your dependency graph and lockfiles (e.g., npm list axios | grep -E "1\.14\.1|0\.30\.4") and check whether node_modules/plain-crypto-js exists.
• Apply the source’s rollback/pinning guidance (explicitly provided in the report):

  • "Downgrade axios to a clean version and pin it: npm install [email protected] ... npm install [email protected]"

• Reduce repeat exposure from lifecycle scripts during investigation/containment:

  • "npm install --ignore-scripts"

• Treat any CI/CD pipeline run that installed the malicious versions as a secret-exposure event (per the report):
  • Rotate credentials accessible to the runner at install time (e.g., npm tokens, cloud keys, SSH keys, and CI secrets).
• If you find RAT artifacts or cannot confidently scope execution, use the report’s containment guidance:

  • "Treat the system as fully compromised. Do not attempt to clean in place — rebuild from a known-good state."