Supply Chain Malware Alert: plain-crypto-js Compromises Axios Packages
Contents
Supply Chain Malware Alert: plain-crypto-js Compromises Axios Packages
Vulnerability Assessment and Penetration Testing (VAPT)
Summary
On March 31, 2026, the npm package plain-crypto-js was identified as a malicious dependency embedded in compromised versions of Axios (0.x and 1.x). The package leverages npm’s postinstall lifecycle hook to execute stealthy cross-platform malware.
The attack affected developers worldwide, allowing remote attackers to exfiltrate credentials, execute arbitrary scripts, and maintain persistent control over infected systems.
Key Takeaways:
- Cross-platform attack: Windows, macOS, Linux
- Remote Command & Control: http://sfrclak.com:8000/
- Credential theft: npm tokens, AWS keys, SSH keys, CI/CD secrets
- Exploits legitimate system binaries (LOLBIN techniques)
- Full stealth, multi-stage payload execution
What is plain-crypto-js?
- Type: npm package
- Legitimate Purpose: Cryptographic utilities (encryption, hashing)
- Malicious Role:
A trojanized version was uploaded to npm, acting as a malware dropper via the postinstall hook.
It executes automatically during installation and deploys OS-specific payloads to steal data and maintain persistence.
Infection Vector
The plain-crypto-js malware spreads through a software supply chain …
Vulnerability Assessment and Penetration Testing (VAPT)
Summary
On March 31, 2026, the npm package plain-crypto-js was identified as a malicious dependency embedded in compromised versions of Axios (0.x and 1.x). The package leverages npm’s postinstall lifecycle hook to execute stealthy cross-platform malware.
The attack affected developers worldwide, allowing remote attackers to exfiltrate credentials, execute arbitrary scripts, and maintain persistent control over infected systems.
Key Takeaways:
- Cross-platform attack: Windows, macOS, Linux
- Remote Command & Control: http://sfrclak.com:8000/
- Credential theft: npm tokens, AWS keys, SSH keys, CI/CD secrets
- Exploits legitimate system binaries (LOLBIN techniques)
- Full stealth, multi-stage payload execution
What is plain-crypto-js?
- Type: npm package
- Legitimate Purpose: Cryptographic utilities (encryption, hashing)
- Malicious Role:
A trojanized version was uploaded to npm, acting as a malware dropper via the postinstall hook.
It executes automatically during installation and deploys OS-specific payloads to steal data and maintain persistence.
Infection Vector
The plain-crypto-js malware spreads through a software supply chain …
IoC
http://callnrwise.com
https://bazaar.abuse.ch/download/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09/
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://sfrclak.com
http://sfrclak.com:8000/
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
https://bazaar.abuse.ch/download/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09/
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://sfrclak.com
http://sfrclak.com:8000/
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
2553649f2322049666871cea80a5d0d6adc700ca
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
07d889e2dadce6f3910dcbc253317d28ca61c766
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71