Axios, the widely used open-source JavaScript HTTP client library with over 100 million weekly downloads, has suffered a critical software supply chain attack. An unidentified threat actor hijacked the npm account of a lead maintainer (jasonsaayman), bypassing the project’s standard GitHub Actions CI/CD pipeline to manually publish two poisoned versions: axios@1.14.1 and axios@0.30.4. These malicious releases injected a fake dependency named plain-crypto-js@4.2.1, which utilizes a heavily obfuscated postinstall script to act as a cross-platform remote access trojan (RAT) dropper. Targeting macOS, Windows, and Linux systems, the malware automatically executes to download platform-specific stage-2 payloads from an external command-and-control server (sfrclak.com), subsequently overwriting its own package.json file and deleting its tracks to evade post-incident forensic detection.
The allegedly compromised data and impacted assets on exposed developer machines and CI/CD environments include:
-
Maintainer npm account credentials
-
Developer workstation credentials
-
SSH private keys
-
Cloud environment access tokens (AWS, GCP, Azure)
-
CI/CD pipeline secrets
-
.envfile contents
Daily Dark WebRead More
R1
T1
