Axios npm Supply Chain Attack - Cross-Platform RAT Deployed via Compromised Maintainer Account
Contents
[CRITICAL] | Active RAT | Malicious npm versions removed | Assess all systems that ran npm install during exposure window
Attackers compromised the npm account of the primary axios maintainer and published two malicious versions that silently install a cross-platform remote access trojan. Axios itself is not vulnerable; the attack used account takeover to inject a poisoned dependency. Malicious versions have been removed from the registry, but any environment that ran npm install during the exposure window may have an active RAT or compromised credentials.
On 2026-03-31, an unknown threat actor compromised the npm account of jasonsaayman, the primary maintainer of axios. The attacker changed the account email to ifstap@proton[.]me and manually published two malicious versions - [email protected] at 00:21 UTC and [email protected] at 01:00 UTC - via the npm CLI, bypassing the project's GitHub Actions CI/CD pipeline entirely.
Both malicious axios versions were removed from the npm registry within hours of disclosure, …
Attackers compromised the npm account of the primary axios maintainer and published two malicious versions that silently install a cross-platform remote access trojan. Axios itself is not vulnerable; the attack used account takeover to inject a poisoned dependency. Malicious versions have been removed from the registry, but any environment that ran npm install during the exposure window may have an active RAT or compromised credentials.
On 2026-03-31, an unknown threat actor compromised the npm account of jasonsaayman, the primary maintainer of axios. The attacker changed the account email to ifstap@proton[.]me and manually published two malicious versions - [email protected] at 00:21 UTC and [email protected] at 01:00 UTC - via the npm CLI, bypassing the project's GitHub Actions CI/CD pipeline entirely.
Both malicious axios versions were removed from the npm registry within hours of disclosure, …
IoC
http://sfrclak.com:8000
http://142.11.206.73
https://www.linkedin.com/newsletters/7371216616015036416/?displayConfirmation=true
https://github.com/bitdefender/malware-ioc/blob/master/2026_03_31-axios-iocs.csv
http://proton.me
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://142.11.206.73
https://www.linkedin.com/newsletters/7371216616015036416/?displayConfirmation=true
https://github.com/bitdefender/malware-ioc/blob/master/2026_03_31-axios-iocs.csv
http://proton.me
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]