Axios npm Hijack Drops Cross-Platform RAT on 100M+ Installs

Hackers compromised the official Axios npm package early Monday morning, injecting malicious code that deployed a cross-platform remote access trojan to any developer who ran npm install during a roughly three-hour window. With over 100 million weekly downloads, Axios ranks among the most widely used HTTP clients in the JavaScript ecosystem—and security researchers say the attack bears hallmarks of North Korean state-sponsored operations.

What Happened

The threat actor gained access to the npm account belonging to Axios maintainer Jason Saayman, changed the associated email to a Proton Mail address under their control, and published two poisoned versions: [email protected] at 00:21 UTC and [email protected] at 01:00 UTC on March 31.

According to StepSecurity's technical analysis, the attack wasn't opportunistic. A malicious dependency called plain-crypto-js was staged 18 hours before the Axios hijack. Version 4.2.0 appeared clean, establishing account history; version 4.2.1—containing the actual payload—dropped less than 30 minutes before the Axios compromise went live.

This marks the latest in a concerning wave of supply chain attacks targeting package registries. Unlike typical typosquatting campaigns, this attack hit the legitimate package directly.

How the Malware Works

The injected plain-crypto-js dependency uses a postinstall hook that executes within seconds of installation. The dropper detects the host operating system and reaches out to a command-and-control server at sfrclak[.]com:8000 to fetch platform-specific payloads.

Windows targets receive:

• A VBScript dropper creating a hidden Command Prompt
• PowerShell copied to %PROGRAMDATA%\wt.exe disguised as Windows Terminal
• Second-stage binary execution

macOS targets receive:

• AppleScript downloading a binary to /Library/Caches/com.apple.act.mond
• Execution via osascript to blend with system processes

Linux targets receive:

• Python-based payload saved to /tmp/ld.py
• Background execution via nohup for persistence

All variants share core RAT capabilities: command execution, directory enumeration, binary retrieval, and credential theft. The persistence mechanism on Windows survives package uninstallation—removing Axios doesn't remove the copied PowerShell binary.

The obfuscation scheme uses two encoding layers: XOR encryption with the key "OrDeR_7077" combined with reversed base64. After deployment, the dropper deletes itself and replaces package.json with a clean stub reporting version 4.2.0 to hide forensic evidence.

North Korean Attribution

Security researchers quickly identified operational similarities to previous campaigns attributed to North Korean threat groups. Google Threat Intelligence Group's John Hultquist attributed the attack to UNC1069, a cluster known to target "centralized exchanges, software developers at financial institutions, high-technology companies, and individuals at venture capital funds."

The macOS payload naming convention macWebT matches patterns previously associated with BlueNoroff, a subgroup of the Lazarus APT. North Korean actors have previously targeted npm and PyPI registries to compromise cryptocurrency developers and financial institutions.

Mandiant CTO Charles Carmakal warned that stolen credentials from this attack will enable follow-on compromises: "The attack is broad and extends to other popular packages that have dependencies on it. Hundreds of thousands of stolen credentials will lead to additional compromises."

Who's Affected

Any developer or CI/CD pipeline that ran npm install and pulled [email protected] or [email protected] during the exposure window (approximately 00:21 to 03:15 UTC on March 31) should treat their systems as compromised. The blast radius extends beyond direct Axios users to any project with transitive dependencies pulling the affected versions.

npm removed both malicious versions by 03:15 UTC and placed a security hold on plain-crypto-js by 03:25 UTC.

Immediate Actions Required

Check your lockfiles for evidence of the compromised versions:

[email protected]
[email protected]
[email protected]

If you installed either affected version:

1. Treat the system as fully compromised
2. Rotate all credentials, API keys, and tokens immediately
3. Check for persistence artifacts:
   • Windows: %PROGRAMDATA%\wt.exe
   • macOS: /Library/Caches/com.apple.act.mond
   • Linux: /tmp/ld.py
4. Review CI/CD secrets and environment variables
5. Downgrade to [email protected] or [email protected]

Indicators of Compromise

Type	Indicator
C2 Domain	sfrclak[.]com
C2 IP	142.11.206.73:8000
Malicious Package	[email protected]
Malicious Package	[email protected]
Malicious Dependency	[email protected]
Attacker Email	[email protected]

Why This Matters

Supply chain attacks against package registries represent one of the most efficient vectors for mass compromise. A single maintainer credential can grant access to millions of downstream installations. This incident—potentially the most sophisticated npm supply chain attack to date—demonstrates that even brief exposure windows can inflict significant damage when targeting foundational dependencies.

Organizations relying on JavaScript ecosystems should implement lockfile verification, dependency pinning, and real-time monitoring for unexpected package updates. Tools from Snyk, Socket, and Endor Labs detected the compromise within hours—but by then, the damage was done.

The coordinated response from npm and the security community contained this incident quickly. The next one might not be caught so fast.