Back

Critical Supply Chain Attack on Axios npm Package Delivers Malware

Severity: High (Score: 75.8)

Sources: Technadu, Tipranks, Theregister, Feeds2.Feedburner, Csoonline

Summary

On March 31, 2026, the axios npm package, a widely used JavaScript library with over 100 million weekly downloads, was compromised through a supply chain attack. An attacker hijacked the npm account of the lead maintainer, Jason Saayman, and published two malicious versions: [email protected] and [email protected]. These versions included a malicious dependency, [email protected], which executed a post-install script to deploy a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux systems. The attack was sophisticated, with the malicious dependency pre-staged 18 hours prior to the release of the compromised axios versions. The malicious packages were available for approximately three hours before being removed, during which time they were downloaded by numerous developers and CI/CD pipelines. Security experts are urging all users of axios to audit their dependencies and treat any systems that installed the affected versions as compromised. The incident highlights the vulnerabilities present in the software supply chain and the potential for widespread impact. Key Points: • Axios npm package was compromised, delivering malware to millions of users. • Malicious versions included a dependency that executed a RAT on multiple operating systems. • Developers are advised to audit their dependencies and treat affected systems as compromised.

Key Entities

  • Lazarus Group (apt_group)
  • TeamPCP (apt_group)
  • UNC1069 (apt_group)
  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • Axios Supply Chain Attack (campaign)
  • WebRAT Campaign (campaign)
  • Shai-hulud (malware)
  • Shai-hulud 2.0 (malware)
  • Plain-crypto-js (malware)
  • Vidar (malware)
  • 3CX (company)
  • Kaseya (company)
  • SolarWinds (company)
  • Polyfill.io (company)
  • Axios (platform)
  • GitHub (platform)
  • Linux (platform)
  • MacOS (platform)
  • ProtonMail (platform)
  • Npm (tool)
  • Node.js (tool)
  • AppleScript (tool)
  • CScript (tool)
  • Curl (tool)
  • North Korea (country)
  • npm.org (domain)
  • packages.npm.org (domain)
  • proton.me (domain)
  • sfrclak.com (domain)
  • 142.11.206.73 (ipv4)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1057 - Process Discovery (mitre_attack)
  • 07d889e2dadce6f3910dcbc253317d28ca61c766 (sha1)
  • 2553649f2322049666871cea80a5d0d6adc700ca (sha1)
  • d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71 (sha1)
  • 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (sha256)
  • fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf (sha256)
  • Log4j (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed