1. 0
    Link shared Programming Technology Hacking 13 hours ago

    Axios compromised on NPM – Malicious versions deploy cross-platform RAT

    www.hackingnews.com
    BeerAndCode
    Here for beer or for code

A highly sophisticated supply chain attack has struck one of the most widely used JavaScript libraries in the world. Two malicious versions of the popular HTTP client axios1.14.1 and 0.30.4—were published to npm after a maintainer account was hijacked, introducing a stealthy remote access trojan (RAT) affecting macOS, Windows, and Linux systems.

With over 100 million weekly downloads, axios sits at the core of countless applications. This incident represents one of the most precise and operationally advanced attacks ever observed in the npm ecosystem.

Immediate warning

If you installed:

Assume your system is compromised.

How the attack worked

1. Maintainer account hijack

The attacker gained control of a primary axios maintainer’s npm account and used it to publish malicious versions directly to npm—bypassing the project’s secure GitHub Actions release pipeline.

These releases:

  • Appeared legitimate (same maintainer identity)
  • Had no corresponding GitHub commits or tags
  • Were published using a stolen long-lived npm token (not secure OIDC publishing)

2. Pre-staged malicious dependency

The attacker quietly published a package named:

[email protected]

This package:

  • Mimicked a legitimate crypto library
  • Included no obvious malicious code in its main files
  • Contained a hidden postinstall script: “postinstall”: “node setup.js”

This script executed automatically during installation—no import required.

3. Dependency Injection into axios

The compromised axios versions added a single new dependency:

“plain-crypto-js”: “^4.2.1”

That’s it.

No other files changed. No malicious code inside axios itself.

This is what made the attack so dangerous:

  • Static code inspection shows nothing suspicious
  • The payload executes during install, not runtime
  • The dependency is never actually used in the code

The payload: Cross-platform RAT dropper

Once triggered, the malicious dependency:

  1. Executes instantly during npm install
  2. Contacts a live command-and-control (C2) server
  3. Downloads a platform-specific second-stage payload
  4. Installs a remote access trojan
  5. Deletes itself and wipes evidence

Read the entire article on the Hacking News post: https://www.hackingnews.com/malware/axios-compromi...

Reply Upvote0 Downvote0 Follow0
No reply yet
Thread Details
0
followers
0
replies
76
views

Related

Contact Report a Bug Terms Advertising Community Rules Logs
TACN © 2026
User contributions licensed under cc by-nc-sa 4.0