By rssfeeds-admin 
Maintainer Account Hijacked
The attack originated from a compromised maintainer account. According to StepSecurity, threat actors seized control of the jasonsaayman npm account Axios’s lead maintainer changed the registered email to an anonymous ProtonMail address, and manually published two malicious versions: axios@1.14.1 and axios@0.30.4.
Neither release has a corresponding GitHub commit or tag, confirming the attackers bypassed the project’s normal GitHub Actions CI/CD pipeline entirely.
The situation worsened when maintainers discovered the attacker’s account permissions exceeded their own, preventing immediate access revocation.
The Phantom Dependency
Both poisoned versions injected a fake dependency, plain-crypto-js@4.2.1a package that did not exist before the attack.
Attackers pre-staged this malicious dependency approximately 18 hours before the Axios compromise, using a caret range, so any new npm install would automatically pull it.
The package is never actually used in the Axios source code; its sole purpose is to trigger a postinstall lifecycle hook that drops the RAT.
The postinstall hook executes a dropper script named setup.js, protected by a two-layer obfuscation scheme combining Base64 string reversal and a hardcoded XOR cipher to evade static analysis and signature-based detection.
Once decoded, the script identifies the host operating system and contacts the attacker’s command-and-control (C2) server at sfrclak[.]com (IP: 142.11.206.73) to retrieve a platform-specific second-stage payload.x+1
Cross-Platform Payloads
The malware delivers tailored RATs for each operating system:
- macOS — A C++ Mach-O RAT disguised as a legitimate Apple background daemon, saved to
/Library/Caches/com.apple.act.mond, capable of system fingerprinting and executing signed malicious binaries - Windows — PowerShell disguised as Windows Terminal executes a hidden VBScript to download the final payload while bypassing execution policies
- Linux — A detached Python script (
/tmp/ld.py) runs silently in the background
All variants communicate with the C2 server using HTTP POST requests formatted to mimic normal npm registry traffic.
Evidence Destruction
After successful execution, the malware deletes the setup.js dropper and the malicious package.json, then renames a pre-staged clean markdown file to replace the removed configuration, making the infected directory appear to be a harmless cryptography library with no remaining malicious artifacts.
Socket detected the attack within six minutes of publication, but the poisoned versions had already been distributed.
| Type | Value |
|---|---|
| Malicious Packages | axios@1.14.1, axios@0.30.4, plain-crypto-js@4.2.1 |
| C2 Server | sfrclak[.]com |
| C2 IP | 142.11.206.73 |
| macOS Artifact | /Library/Caches/com.apple.act.mond |
| Windows Artifact | %ProgramData%wt.exe |
| Linux Artifact | /tmp/ld.py |
Remediation Steps
Developers are strongly advised to take the following actions immediately:
- Downgrade to
axios@1.14.0(1.x users) oraxios@0.30.3(0.x users) - Rotate all credentials, API keys, and secrets on any exposed machine
- Audit network logs for outbound connections to
sfrclak[.]comor142.11.206.73 - Use
--ignore-scriptsin CI/CD environments to block malicious postinstall hooks - Pin exact dependency versions and scan lockfiles for compromised packages
This marks the third major npm supply chain attack in six months, underscoring the growing risk of publisher account compromise as a primary attack vector against the open-source ecosystem.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Axios NPM Packages Compromised in Active Supply Chain Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.