Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

The Axios npm package (100M+ weekly downloads) was compromised on March 30, 2026, when an attacker hijacked the lead maintainer's npm account and published two malicious versions (1.14.1 and 0.30.4). The attack introduced a phantom dependency, plain-crypto-js@4.2.1, which executed a postinstall hook deploying a cross-platform RAT on macOS, Windows, and Linux. The malware used sophisticated obfuscation (XOR cipher, base64 reversal, dynamic require() calls), platform-specific payloads (AppleScript, VBScript+PowerShell, Python), and anti-forensic self-destruction that swapped malicious files with clean decoys. The attacker bypassed GitHub Actions OIDC Trusted Publisher safeguards by manually publishing with a stolen npm token, leaving no trace in the GitHub repository. Automated scanners flagged the malicious dependency within six minutes, and npm removed the packages within ~3.5 hours. Remediation includes pinning to safe versions, removing plain-crypto-js, rotating all credentials, and using npm ci --ignore-scripts in CI/CD pipelines.

Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads