Axios npm attack: rapid hunting with KQL and response guide
Contents
On March 31, 2026, two malicious Axios versions (1.14.1 and 0.30.4) were briefly published to npm via a compromised maintainer account. The only change performed was the addition of a trojanized dependency, whose postinstall script deployed a cross‑platform RAT (for macOS, Windows, and Linux). Although the Axios packages were removed within hours, multiple hits were observed in our MDR service, mainly across developer workstations and Docker containers. In this blog post, we briefly walk through the details of the incident, share our observations, and provide KQL hunting queries used to identify and assess exposure across our MDR customers.
Brief Incident Summary
An adversary obtained access to the lead maintainer’s npm account and managed to publish two Axios versions (1.14.1 and 0.30.4). Both of these versions injected a malicious dependency under the name [email protected] with a postinstall dropper (setup.js) [1].
The dropper fetched OS-specific payloads from the C2 depending on the platform it was …
Brief Incident Summary
An adversary obtained access to the lead maintainer’s npm account and managed to publish two Axios versions (1.14.1 and 0.30.4). Both of these versions injected a malicious dependency under the name [email protected] with a postinstall dropper (setup.js) [1].
The dropper fetched OS-specific payloads from the C2 depending on the platform it was …
IoC
https://www.sophos.com/en-us/blog/axios-npm-package-compromised-to-deploy-malware
http://callnrwise.com
http://sfrclak.com:8000/6202033
http://hxxp://sfrclak.com:8000/6202033
http://142.11.206.73
https://socket.dev/blog/axios-npm-package-compromised
https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack
http://23.254.167.216
http://calltan.com
http://sfrclak.com
https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
23.254.167.216
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://callnrwise.com
http://sfrclak.com:8000/6202033
http://hxxp://sfrclak.com:8000/6202033
http://142.11.206.73
https://socket.dev/blog/axios-npm-package-compromised
https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack
http://23.254.167.216
http://calltan.com
http://sfrclak.com
https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
23.254.167.216
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd
58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f
e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a