Axios Hijacked: npm Account Takeover Deploys Cross-Platform RAT to Millions
Contents
Axios Hijacked: npm Account Takeover Deploys Cross-Platform RAT to Millions
On March 31, 2026, two malicious versions of Axios - the JavaScript HTTP client with over 83 million weekly downloads - were published to npm after an attacker hijacked the lead maintainer's account. Versions 1.14.1 and 0.30.4 injected a phantom dependency that silently installs a cross-platform remote access trojan on macOS, Windows, and Linux. The malicious versions were live for roughly three hours before npm removed them.
If your lockfile contains either affected version, assume your development machine or CI runner has been compromised.
TL;DR
- A compromised npm access token was used to publish malicious Axios versions
1.14.1
and0.30.4
, bypassing all CI/CD and OIDC provenance controls - Both versions introduce a hidden dependency (
plain-crypto-js
) that deploys a persistent, cross-platform remote access trojan targeting macOS, Windows, and Linux - The payload erases all forensic traces within seconds of execution, rendering post-install inspection ineffective
- Affected organizations should …
On March 31, 2026, two malicious versions of Axios - the JavaScript HTTP client with over 83 million weekly downloads - were published to npm after an attacker hijacked the lead maintainer's account. Versions 1.14.1 and 0.30.4 injected a phantom dependency that silently installs a cross-platform remote access trojan on macOS, Windows, and Linux. The malicious versions were live for roughly three hours before npm removed them.
If your lockfile contains either affected version, assume your development machine or CI runner has been compromised.
TL;DR
- A compromised npm access token was used to publish malicious Axios versions
1.14.1
and0.30.4
, bypassing all CI/CD and OIDC provenance controls - Both versions introduce a hidden dependency (
plain-crypto-js
) that deploys a persistent, cross-platform remote access trojan targeting macOS, Windows, and Linux - The payload erases all forensic traces within seconds of execution, rendering post-install inspection ineffective
- Affected organizations should …
IoC
http://sfrclak.com
http://sfrclak.com:8000
142.11.206.73
http://sfrclak.com:8000
142.11.206.73