THREAT Brief: Widespread Impact of the Axios Supply Chain Attack reports that two compromised Axios npm releases, versions v1.14.1 and v0.30.4, injected a hidden dependency called plain-crypto-js@4.2.1 into package[.]json, creating a cross-platform remote access Trojan (RAT) that can affect Windows, macOS and Linux.
According to Unit 42, the postinstall hook runs a heavily obfuscated setup[.]js to drop payloads, with the dropper querying the victim OS and contacting a C2 server at sfrclak[.]com:8000 using platform-specific paths such as packages.npm[.]org/product0 for macOS. The RAT payloads differ by OS, including a macOS Mach-O binary, Windows PowerShell and VBScript stages, and Linux Python scripts, all coordinating via a shared C2 protocol and beaconing every 60 seconds.
The campaign has been linked to prior WAVESHAPER activity, and indicators include artifacts such as /Library/Caches/com.apple.act[.]mond, /tmp/ld[.]py and the C2 domain sfrclak[.]com, as well as the IP 142.11.206[.]73. Published on 1 April 2026, the piece also advises immediate mitigation steps and notes that protecting CI/CD pipelines is critical, according to Unit 42.