THREAT actors hijacked the npm account of Axios to spread remote access trojans (RAT) across Linux, Windows, and macOS, as security researchers identified the supply chain attack after rogue updates appeared on the registry. The malicious versions, 1.14.1 and 0.30.4, were published within an hour and lacked OIDC verification or matching GitHub commits, prompting immediate red flags; Axios is used in many projects with over 100M weekly downloads.
The attackers allegedly compromised maintainer Jason Saayman’s npm account, and a malicious package called plain-crypto-js was dropped into two compromised Axios releases, enabling the RAT to spread through a trusted library. The malware employed obfuscation and a post-install script to run automatically, detecting the host OS and downloading a second-stage payload tailored to macOS, Windows or Linux; the macOS variant delivered a fully functional RAT written in C++.
According to Aikido Security, anyone who installed the affected versions should assume their system is compromised, and researchers noted the infection could propagate via hidden dependencies in other packages, with two additional packages spreading the same malware.