Last Update: 04/05/2026 at 2:50 PM EST
Axios Supply Chain Breach Delivers RAT
Coverage from BleepingComputer, Security Boulevard, and others
Articles
7
Latest Article
04/04
Active Days
13
Executive Summary
Hijacked npm releases of Axios delivered a cross-platform RAT through a malicious dependency, exposing installed systems to credential theft and persistence
- Axios npm releases 1.14.1 and 0.30.4 were published after a maintainer account hijack
- Malicious package plain-crypto-js ran a postinstall dropper during installation
- The dropper contacted command and control servers and fetched a second-stage payload
- Windows systems saw hidden PowerShell and VBScript activity with persistence via wt.exe
- macOS payloads used AppleScript to download and run a binary from Library Caches
- Linux payloads fetched a Python file to /tmp and executed it with nohup
- The RAT enabled command execution, directory enumeration, and cleanup meant to hinder forensics
Quick Facts
- What: Maintainer hijack published malicious package versions with RAT payloads
- Where: npm registry and affected Linux Windows and macOS hosts
- Why: To gain remote access and steal credentials and API keys
- Who: Unknown attacker targeting Axios npm maintainers
- When: March 31 2026 during a short exposure window
Coverage Timeline: 13 Days
Featured Article
Attackers compromised Axios npm package releases in 1.14.1 and 0.30.4 by using plain-crypto-js postinstall execution, enabling remote access trojans and credential theft risk.
Additional Articles
⭐⭐⭐⭐⭐
Security researchers identified an npm compromise of the Axios maintainer that enabled malicious axios package versions delivering a remote access trojan across Linux, Windows, and macOS.
⭐⭐⭐
Axios maintainers reported an npm supply chain incident in which a North Korea-nexus actor compromised maintainer accounts and published malicious versions that installed a remote access trojan.
Socket and OpenSourceMalware reported that TeamPCP compromised Aqua Security's Trivy GitHub pipeline in March 2020s, leading to malicious Docker Hub artifacts and repository tampering.
Axios npm versions 1.14.1 and 0.30.4 were compromised in a maintainer-account hijack, leading to postinstall execution of a dropper and RAT payload and requiring supply-chain scanning and credential rotation.
Axios npm package releases 1.14.1 and 0.30.4 were compromised by a maintainer hijack, adding a postinstall-based malicious dependency that enables remote access trojan deployment.
Axios npm versions 1.14.1 and 0.30.4 were compromised in a maintainer-hijack supply-chain attack on March 31, 2026, with installation-time trojan delivery and credential risk.