AXIOS has suffered a supply chain attack after two newly published versions of its npm package introduced a malicious dependency, plain-crypto-js version 4.2.1, as a fake runtime dependency. According to StepSecurity, the versions 1.14.1 and 0.30.4 were published using the compromised npm credentials of the primary Axios maintainer, “jasonsaayman,” enabling the attackers to bypass the project’s GitHub Actions CI/CD pipeline.
Ashish Kurmi, a security researcher, described the dropper as a cross‑platform remote access trojan (RAT) that executes a postinstall script and contacts a live command and control server, with three platform‑specific payloads for macOS, Windows and Linux. The malware beacons to a C2 server and delivers platform‑specific second‑stage payloads, while erasing traces by deleting the postinstall hook and replacing package[.]json.
The attack timeline shows the malicious chain began on 30 March 2026, with subsequent Axios versions published on 31 March 2026, and the npm ecosystem requests users to downgrade to 1.14.0 or 0.30.3 and rotate credentials; the malicious packages have been removed from npm, and the attacker’s C2 domain is sfrclak[.]com. Axios is used widely, with more than 83 million weekly downloads.