Axios npm Supply Chain Compromise Delivers Cross-Platform RAT

Du'aine Davis

Observed in the wild

• In late March, malicious versions of the popular JavaScript HTTP library Axios, axios@1.14.1 and axios@0.30.4, were published to npm outside the project’s normal release workflow. Any organisation or developer automatically pulling these versions via version ranges was potentially exposed, affecting frontend, backend and enterprise JavaScript environments using Axios globally.
• Attackers abused a compromised npm publishing process to add a malicious dependency, plain-crypto-js@4.2.1, which executed via a postinstall script. The payload deployed an obfuscated, multi-stage, cross-platform RAT using Node.js, PowerShell, AppleScript or Python, with C2 over HTTP. The activity indicates a targeted software supply chain attack rather than developer error.
• Organisations are advised to identify and remove affected Axios and dependency versions immediately, review lockfiles and rebuild from known-good sources. With Microsoft Defender, monitor for unusual postinstall execution, renamed PowerShell binaries, suspicious script launches, and outbound HTTP beacons to unknown infrastructure. Strengthen dependency controls, token hygiene and publishing permissions to reduce supply chain risk.

Supply Chain Attack on Axios Pulls Malicious Dependency from...axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity