Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 via a compromised maintainer account. The attacker pre-staged a fake dependency, plain-crypto-js@4.2.1, which runs a postinstall script deploying a cross-platform remote access trojan (RAT) targeting macOS, Windows, and Linux. The malware contacts a C2 server at sfrclak.com:8000, delivers platform-specific second-stage payloads, then self-destructs and replaces its own package.json with a clean stub to evade detection. Full indicators of compromise, a detailed attack timeline, static and runtime analysis of the dropper, and remediation steps are provided. Users should immediately downgrade to axios@1.14.0 or axios@0.30.3, rotate all credentials, and check for the plain-crypto-js directory in node_modules.
Table of contents
Attack TimelineBackground: What Is axios?How the Attack WorksThe RAT Dropper: setup.js — Static AnalysisPlatform-Specific PayloadsSelf-Cleanup — Hiding the EvidenceRuntime Execution Validation with StepSecurity Harden-RunnerIndicators of CompromiseAm I Affected?RemediationHow StepSecurity HelpsSort: