The npm maintainer account for the widely-used axios HTTP client was compromised, resulting in two malicious versions (1.14.1 and 0.30.4) being published and tagged as 'latest' and 'legacy'. The attacker introduced a typosquat dependency 'plain-crypto-js' containing an obfuscated postinstall script that downloads and executes platform-specific stage-2 payloads from a C2 server (sfrclak.com) on macOS, Windows, and Linux. The payload self-deletes and overwrites package.json to evade forensic detection. Any system running npm install after 2026-03-31T00:21:58Z without a lockfile pinning a prior safe version may be compromised. Immediate actions include checking lockfiles for the malicious versions, pinning axios to 1.14.0 or earlier, hunting for listed IOCs, rotating credentials, and blocking the C2 domain.
Sort: