ELASTIC Security Labs reports a supply chain compromise of the axios npm package, one of the JavaScript ecosystem’s most depended-upon libraries, which at discovery had about 100 million weekly downloads. The attacker gained control of the maintainer account jasonsaayman and published two malicious versions, axios@1.14.1 and axios@0.30.4, meaning a fresh npm install could pull a backdoored package.
The dropper relies on a postinstall hook from plain-crypto-js to download platform-specific stage-2 implants for macOS, Windows, and Linux from sfrclak[.]com:8000, with three parallel payloads that are implementations of the same cross-platform RAT sharing an identical C2 protocol and beacon cadence. The campaign’s initial discovery notes a shift from a trusted GitHub Actions OIDC publishing flow to direct CLI publishing, and the overall RAT uses a spoofed IE8/Windows XP user-agent across all three platforms.
Key timeline entries include 30 March 2026 for the plain-crypto-js decoy and the 31 March 2026 disclosure, with the affected packages listed as axios@1.14.1, axios@0.30.4 and plain-crypto-js variants, underscoring the widespread potential impact.