RSS
← All articles
threat
2026-03-31

Axios npm package compromised - cross-platform RAT deployed via hijacked maintainer account

Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.

axiosnpmsupply-chainjavascriptrat
Check
Check if any project or CI/CD pipeline installed Axios in the last 48 hours.
Affected
axios 1.14.1 and 0.30.4 on npm. Also @shadanai/openclaw and @qqbrowser/openclaw-qbot which bundle the same payload.
Fix
Downgrade to axios 1.14.0 or 0.30.3. Remove plain-crypto-js from node_modules. Rotate all credentials on affected systems. Block sfrclak[.]com and 142.11.206.73 on port 8000.
Related Articles
threatGemStuffer campaign turned RubyGems into a clandestine data drop - 150+ malicious gems hid scraped UK council portal pages inside Ruby packages
vulnerabilityOne unpatched Quest KACE box at a Boston MSP exposed 60+ named client organizations - law enforcement, schools, healthcare, and government on one MariaDB dump (CVE-2025-32975)
breachTelehealth aggregator OpenLoop Health confirms 716,000 patient records stolen in a 24-hour intrusion in January - downstream consumer brands still unnamed