axios Compromised on npm - Malicious Versions Drop Remote Access Trojan
Contents
StepSecurity is hosting a community town hall on this incident on April 1st at 10:00 AM PT - Register Here.
On March 31, 2026, StepSecurity identified two malicious versions of the widely used axios
HTTP client library published to npm: [email protected]
and [email protected]
. Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline. The attacker changed the maintainer's account email to an anonymous ProtonMail address and manually published the poisoned packages via the npm CLI.
The malicious versions inject a new dependency, [email protected]
, which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall
script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its …
On March 31, 2026, StepSecurity identified two malicious versions of the widely used axios
HTTP client library published to npm: [email protected]
and [email protected]
. Both versions were published using the compromised npm credentials of a lead axios maintainer, bypassing the project's normal GitHub Actions CI/CD pipeline. The attacker changed the maintainer's account email to an anonymous ProtonMail address and manually published the poisoned packages via the npm CLI.
The malicious versions inject a new dependency, [email protected]
, which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall
script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its …
IoC
http://sfrclak.com:8000/
http://sfrclak.com:8000/6202033
142.11.206.73
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
07d889e2dadce6f3910dcbc253317d28ca61c766
7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb
http://sfrclak.com:8000/6202033
142.11.206.73
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
07d889e2dadce6f3910dcbc253317d28ca61c766
7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb