Axios npm compromise: XOR dropper to cross-platform RAT
Contents
On this page
On March 31, 2026, someone published axios 1.14.1 to npm. The package had 101 million weekly downloads. The only change from 1.14.0 was a single new dependency: [email protected]
. That package did not exist 24 hours earlier. It carried a postinstall hook that ran a 4 KB obfuscated JavaScript dropper, which detected the host OS, pulled a platform-specific RAT from a plain HTTP C2 server, executed it outside the node process tree, and then erased every trace of itself. The whole chain fired in under two seconds, before npm install
finished resolving the rest of the dependency tree.
The attack lasted 169 minutes. Socket flagged the malicious dependency six minutes after it was published. npm pulled both compromised axios versions (1.14.1 and 0.30.4) within three hours. By then, the dropper had been downloaded by an unknown number of CI/CD pipelines and developer machines.
We recovered the dropper from Triage, the macOS …
On March 31, 2026, someone published axios 1.14.1 to npm. The package had 101 million weekly downloads. The only change from 1.14.0 was a single new dependency: [email protected]
. That package did not exist 24 hours earlier. It carried a postinstall hook that ran a 4 KB obfuscated JavaScript dropper, which detected the host OS, pulled a platform-specific RAT from a plain HTTP C2 server, executed it outside the node process tree, and then erased every trace of itself. The whole chain fired in under two seconds, before npm install
finished resolving the rest of the dependency tree.
The attack lasted 169 minutes. Socket flagged the malicious dependency six minutes after it was published. npm pulled both compromised axios versions (1.14.1 and 0.30.4) within three hours. By then, the dropper had been downloaded by an unknown number of CI/CD pipelines and developer machines.
We recovered the dropper from Triage, the macOS …
IoC
http://sfrclak.com:8000
http://sfrclak.com:8000/6202033
http://...\\Run
http://sfrclak.com
http://sfrclak.com:8000/
142.11.192.0
142.11.206.73
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
55554944c848257813983360905d7ad0f7e5e3f5
fcb81618bb15edfdedfb638b4c08a2af9cac9ecba551af135a8402bf980375cf
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a
http://sfrclak.com:8000/6202033
http://...\\Run
http://sfrclak.com
http://sfrclak.com:8000/
142.11.192.0
142.11.206.73
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
55554944c848257813983360905d7ad0f7e5e3f5
fcb81618bb15edfdedfb638b4c08a2af9cac9ecba551af135a8402bf980375cf
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a