Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 via a compromised maintainer account. The packages included a hidden dependency, plain-crypto-js@4.2.1, whose postinstall hook deployed a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux. The dropper used double obfuscation and self-erasing techniques to avoid detection. The malicious versions were live for roughly three hours before removal. Anyone who ran npm install during that window should assume full system compromise, rotate all secrets, isolate affected machines, and rebuild environments. Mitigation advice includes using npm ci with committed lockfiles, enabling --ignore-scripts in CI, and auditing for indicators of compromise including outbound connections to sfrclak[.]com.
Table of contents
TL;DRHow the attack was constructedWho is actually at riskSnyk remediation and how to check your exposureThe bigger picture: Maintainer account securitySecure your supply chain with SnykSort: