Update March 31, 2026: Multiple security firms — including Snyk, Socket.dev, StepSecurity, and Malwarebytes — have now published full technical analyses confirming these findings. Snyk recommends rebuilding any environment that installed the bad versions, as cleanup is insufficient if the RAT was active. Rotate all secrets exposed in those environments.
Axios, one of the most widely used JavaScript HTTP libraries with over 300 million weekly downloads, was briefly compromised when malicious versions were published to npm via a hijacked maintainer account. The packages contained a hidden dependency that deployed a cross-platform remote access trojan to any machine that ran npm install during approximately a two-hour window.
The malicious versions — axios@1.14.1 and axios@0.30.4 — were live for roughly 2–3 hours before npm removed them. Anyone who ran npm install between approximately 00:21–03:15 UTC on March 31, 2026 should treat affected machines as fully compromised.
The Attack Chain: Step by Step
Step 1 – Account takeover: The attacker compromised the npm account of jasonsaayman, the lead maintainer of Axios. The account’s registered email was changed to an attacker-controlled ProtonMail address.
Step 2 – Pre-staging the malicious dependency: The attacker added a pre-staged malicious package called plain-crypto-js@4.2.1 to the package.json of the new Axios releases. An earlier “clean” version (4.2.0) had been published 18 hours prior, likely to establish a brief registry history and reduce suspicion.
Step 3 – Exploitation via postinstall: When a developer or CI system ran npm install axios@1.14.1, npm resolved the dependency tree, pulled plain-crypto-js@4.2.1, and automatically executed its postinstall hook — node setup.js. That single script execution is where compromise began.
Step 4 – Obfuscated dropper: The setup.js dropper used two layers of obfuscation — reversed Base64 encoding with padding character substitution, and an XOR cipher with the key OrDeR_7077 — to evade static analysis.
Precise Attack Timeline (UTC)
| Time | Event |
|---|---|
| March 30, 05:57 UTC | Clean plain-crypto-js@4.2.0 published (decoy) |
| March 30, 23:59 UTC | Malicious plain-crypto-js@4.2.1 published with payload |
| March 31, 00:21 UTC | axios@1.14.1 published via compromised account |
| March 31, 01:00 UTC | axios@0.30.4 published via same account |
| March 31, 03:29 UTC | Both malicious versions removed from npm |
Both release branches were hit within a 39-minute window.
What the RAT Does
The plain-crypto-js package’s sole purpose was to execute a postinstall script acting as a cross-platform RAT dropper, targeting macOS, Windows, and Linux. Three separate payloads were pre-built for three operating systems.
Defenders observed execution in 3% of affected environments. Organizations are advised to monitor for outbound connections to sfrclak.com:8000 and analyze logs for beaconing behavior, anomalous HTTP POST requests, or unexpected process execution related to package installation.
Why This Attack Was Particularly Dangerous
No source files were touched. The attack showed notable restraint — no Axios source files were modified, making traditional diff-based code review far less likely to catch it.
It was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate OS-specific payloads were pre-built. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct.
No provenance metadata. Legitimate Axios releases always include OIDC provenance metadata and SLSA build attestations linking the package back to a specific GitHub Actions run. The malicious versions had none of this — they were published directly, leaving no verifiable build trail.
Scale & Blast Radius
Axios is present in roughly 80% of cloud and code environments and is downloaded approximately 100 million times per week, enabling rapid exposure even within a short window. The attacker demonstrated meaningful operational sophistication — pre-staging the malicious dependency, using a “clean” version history, double-obfuscating the dropper, building platform-specific RATs, and implementing anti-forensic self-deletion.
IOCs & Detection
Key indicators of compromise:
- Presence of
plain-crypto-js@4.2.1in lock files axios@1.14.1oraxios@0.30.4innode_modules/or lock files- Outbound C2 connections to
sfrclak.com:8000 npm installactivity between 00:21–03:15 UTC March 31
CVEs tracked as GHSA-fw8c-xr5c-95f9 and MAL-2026-2306.
Remediation Guidance
- Audit axios usage — identify whether affected versions were downloaded or executed
- Immediately remove any malicious artifacts from endpoints and build systems
- Rotate exposed credentials if there’s any indication the malicious packages executed
- Review build pipelines and developer machines for signs of unauthorized access or persistence
- Update to a clean version —
axios@1.14.0or any version without the malicious dependency
Attribution
As of March 31, 2026, no public attribution has been made. The actor used anonymous ProtonMail addresses for both the hijacked maintainer account and the decoy package registration, and executed a deliberate 18-hour pre-staging phase — indicating advance planning, not opportunism.
