https://www.huntress.com/blog/supply-chain-compromise-axios-npm-package
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
https://socket.dev/blog/axios-npm-package-compromised
https://socket.dev/npm/package/plain-crypto-js/files/4.2.1/setup.js
https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
https://gist.github.com/joe-desimone/36061dabd2bc2513705e0d083a9673e7
https://github.com/axios/axios/blob/v1.x/.github/workflows/deprecate.yml


Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter

ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense

John Hammond

A supply chain attack compromised the Axios npm package, one of the most widely used JavaScript HTTP client libraries with over 100 million weekly downloads. An attacker gained access to a maintainer's npm account (reportedly via a recovery code) and published malicious versions (1.14.1 and 0.30.44) containing a backdoor dependency called plain-crypto-JS. Any environment that ran npm install during the ~3-hour exposure window may be compromised. The malware delivers a cross-platform RAT targeting Windows (PowerShell-based), Linux, and macOS (Python-based), establishing C2 communication to sfrclack.com:8000, exfiltrating files, and setting registry persistence on Windows. Mitigation steps include auditing package-lock.json files for malicious versions, scanning for indicators of compromise, and rotating credentials on any potentially affected hosts.

HUGE supply chain attack