(mend.io) Poisoned Axios: npm Account Takeover Delivers Cross-Platform RAT via Supply Chain Attack
Critical npm supply chain attack: Threat actors compromised the axios maintainer account, publishing malicious versions (1.14.1, 0.30.4) with hidden plain-crypto-js v4.2.1 dependency. This delivered a cross-platform RAT via postinstall hook, impacting macOS, Windows, and Linux developers.
In brief - Compromised npm credentials for axios (50M+ weekly downloads) led to malicious package versions deploying a RAT. Affected systems must be treated as compromised; rotate all credentials immediately.
Technically - The plain-crypto-js v4.2.1 package executed an obfuscated JavaScript dropper (setup.js) using XOR cipher (key: 'OrDeR_7007'), base64, and string reversal. It contacted C2 at http://sfrclak.com:8000/6202033, delivering platform-specific payloads: Mach-O RAT (SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a) on macOS, PowerShell via VBScript on Windows, and Python on Linux. The macOS RAT supports peinject, runscript, rundir, and kill commands, beaconing every 60s. Post-execution cleanup removed forensic artifacts.
Source: https://www.mend.io/blog/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/
#Cybersecurity #ThreatIntel
O RLY CYBER
npub1sh…0kwr0
2026-03-31 08:02:52 UTC
Author Public Key
npub1shlut8mwdmfevu2nt294apayu7e0mxs5mrpfyq8v5ru4ymscg9ysx0kwr0Seen on
wss://relay.momostr.pinkPublished at
2026-03-31 08:02:52 UTCEvent JSON
{
"id": "22da314b68522bf3cd4ef26ed302277ebd68948202aa8b4dab26fde9bfd0baab",
"pubkey": "85ffc59f6e6ed39671535a8b5e87a4e7b2fd9a14d8c29200eca0f9526e184149",
"created_at": 1774944172,
"kind": 1,
"tags": [
[
"proxy",
"https://swecyb.com/@orlysec/116322741290189686",
"web"
],
[
"t",
"threatintel"
],
[
"t",
"cybersecurity"
],
[
"proxy",
"https://swecyb.com/ap/users/116080658609901341/statuses/116322741290189686",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://swecyb.com/ap/users/116080658609901341/statuses/116322741290189686",
"pink.momostr"
],
[
"-"
]
],
"content": "(mend.io) Poisoned Axios: npm Account Takeover Delivers Cross-Platform RAT via Supply Chain Attack\n\nCritical npm supply chain attack: Threat actors compromised the axios maintainer account, publishing malicious versions (1.14.1, 0.30.4) with hidden plain-crypto-js v4.2.1 dependency. This delivered a cross-platform RAT via postinstall hook, impacting macOS, Windows, and Linux developers.\n\nIn brief - Compromised npm credentials for axios (50M+ weekly downloads) led to malicious package versions deploying a RAT. Affected systems must be treated as compromised; rotate all credentials immediately.\n\nTechnically - The plain-crypto-js v4.2.1 package executed an obfuscated JavaScript dropper (setup.js) using XOR cipher (key: 'OrDeR_7007'), base64, and string reversal. It contacted C2 at http://sfrclak.com:8000/6202033, delivering platform-specific payloads: Mach-O RAT (SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a) on macOS, PowerShell via VBScript on Windows, and Python on Linux. The macOS RAT supports peinject, runscript, rundir, and kill commands, beaconing every 60s. Post-execution cleanup removed forensic artifacts.\n\nSource: https://www.mend.io/blog/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/\n\n#Cybersecurity #ThreatIntel",
"sig": "54c3d5a3f33b44b467d6c7cbf86200eea8bc60c4adc9592fb946874eda3f94c5c75a928eddc31904ef08e74ecc6a5b422b2c9e9b8e42c230a041465d330a646a"
}